Make the Office canvas mount passive so Xpra starts only when the Desktop surface is opened or an official Office document is created/opened.
Track Desktop host visibility to unload hidden frames, stop monitors, dedupe viewport resize work, and set Xpra offscreen mode according to HTTPS support. Add a near-future note for the tunnel memory footprint.
Show Office desktop startup progress
Display a loading message while the Agent Zero Desktop environment is starting or restarting, so the right-canvas Desktop button gives immediate feedback before Xpra finishes waking up.
Remove dynamically loaded skills when they are deactivated from the Skills selector. Treat skill names and paths as aliases so scoped defaults, chat overrides, and loaded-skill state resolve consistently.
Route binary Office documents through the persistent Desktop surface while keeping Markdown in the custom tabbed editor.
Harden Xpra clipboard bridging and explicit clipboard flags so host paste can reach the desktop session.
Align XFCE and LibreOffice profile paths with Agent Zero locations: downloads for wallpapers, configured workdir for default saves and the Workdir shortcut, and trusted metadata for generated launchers.
Remove the Collabora/WOPI runtime and route stack, including the old status APIs, proxy helpers, bootstrap extensions, and WOPI store tests. Add the Markdown-first document store, LibreOffice status/conversion helpers, LibreOfficeKit session bridge, and reusable Xpra virtual desktop gateway used by the new document runtime.
Update image and self-update bootstrap paths so existing containers can acquire the LibreOffice, XFCE, Xpra, and desktop-control dependencies through the normal install hooks instead of an ad hoc manual install.
Persist the active agent profile with each chat context and add a context-scoped endpoint for switching profiles without mutating global settings. Update the WebUI selector and docs to treat settings as the default for new chats, and expose the switch through the A0 connector plugin.
When agent_profile is set to a concrete value (e.g. "agent0"), the
project/.a0proj/plugins/<plugin>/config.json path was skipped due to
an overly restrictive guard condition. Only wildcard/empty profiles
could reach the project-level config, making per-project plugin
overrides (including _model_config) silently ineffective for all
normal agent runs.
Remove the guard so the project-level config is always checked as a
fallback after the profile-scoped project path. Precedence is preserved:
profile-scoped project config > project-level config > global config.
Co-Authored-By: Octopus <liyuan851277048@icloud.com>
Update the WebSocket disconnect handler signature to accept the disconnect
reason now passed by python-socketio.
Agent Zero does not currently use the reason value, but keeping the parameter
matches the documented Socket.IO callback shape and avoids relying on the
library's legacy one-argument handler fallback.
python-socketio>=5.14.2 now documents server disconnect handlers as receiving sid, reason:
https://python-socketio.readthedocs.io/en/stable/server.html#connect-and-disconnect-events.
The 5.14.2 source also passes that reason into the disconnect event. It still has a legacy fallback that retries old one-arg handlers, so removing it would probably work today, but only by leaning on compatibility behavior.
Surface the active Agent Profile beside the model preset switcher and let users switch profiles through the existing settings flow.
- add agent profile metadata to state snapshots
- list available profiles in the chat composer profile dropdown
- persist profile changes via settings_get/settings_set
- add a Create new Agent Profile action that opens a guided a0-create-agent chat
- rename the agent-profile creation skill/docs from a0-new-agent to a0-create-agent
- clean up fetchApi imports for related WebUI modules
Keep image payloads out of persistent agent history by storing vision and
computer-use captures as file path references instead of inline base64 data.
- update vision_load to attach image paths without compression or JPEG conversion
- update computer_use_remote to attach shared capture artifact paths directly
- serialize local image refs into provider-valid data URLs only at request prep
- reject base64/data URL attachments on the connector WebSocket path
- advertise path_or_url as the connector attachment mode
Add LLM preset selection to project create/edit flows, backed by _model_config scoped project config. Support global, project, and combined preset APIs with explicit metadata while preserving plain YAML preset files. Copy selected preset chat/utility settings into project-scoped config, keep embedding settings from the effective config, and document/test the new project model config paths.
Unify skill handling layer and raise the active skills cap to 20.
The Skills UI now presents a simpler checklist-style flow for selecting active
skills, with live chat activation and saved defaults using the same visible list.
Skill contents can be opened in a read-only Ace viewer via the existing markdown
modal.
Restore remote document fetch compatibility for public sites after the
CVE-2026-4308 SSRF hardening.
The initial security fix correctly blocked non-public destinations, but
it also changed the outbound request fingerprint for `document_query`
remote fetches. Some public sites, including https://nvd.nist.gov/vuln/detail/CVE-2026-4308, used for testing, responded with HTTP
403 to the default `requests` user agent even though they remained safe
and publicly routable.
This change keeps the centralized SSRF protections in place while
restoring the previous request compatibility behavior by sending the
configured `USER_AGENT` header, falling back to the prior
`@mixedbread-ai/unstructured` value.
What is fixed:
- public URLs such as
`https://nvd.nist.gov/vuln/detail/CVE-2026-4308`
no longer fail with site-specific HTTP 403 due to request fingerprint
changes introduced by the SSRF mitigation
Address CVE-2026-4308 in the document_query tool remote-fetch path.
The issue was originally reported by @YLChen-007.
This change replaces ad hoc remote document fetching with a centralized
safe fetch flow that validates remote URLs before any network request is
used for parsing. It blocks localhost and non-public IPv4/IPv6 targets,
validates every redirect hop, disables implicit trust of proxy env
settings for this path, and enforces a strict remote document size cap.
It also removes direct third-party loader access to attacker-controlled
URLs by prefetching remote content first and then parsing only trusted
local bytes or temp files for HTML, text, PDF, image, and unstructured
document handling.
Refs:
- CVE-2026-4308
- Report by @YLChen-007
Add shared transport-level control commands so Telegram, WhatsApp, and
email threads can manage the active chat directly.
- add a shared integration command helper for /project, /config, /send,
and /queue send
- wire native command handling into Telegram and WhatsApp sessions
- expose Telegram control commands through bot command routing and update
transport docs
- add email thread command handling for existing A0 email conversations
- add an optional per-handler email conversation preset backed by model
presets in the email settings UI and default config
- document the new transport control flow across Telegram, WhatsApp, and
email
Add a builtin `a0-setup-cli` skill for guiding host-side A0 connector setup,
and restore the lightweight trigger-word based skill matching flow, which many users asked for.
- add builtin `skills/a0-setup-cli/` with installer-first host setup guidance,
container guardrails, fallback install paths, and example responses
- fix `helpers.skills_cli` so builtin skills under `/skills` are discoverable,
searchable, and validatable
- restore trigger-pattern scoring in runtime `search_skills()`
- re-enable `skills_tool:search` in the current tool flow
- add lightweight lexical relevant-skill recall for the current user message
without reintroducing memory/vector-db skill recall
- update skill prompts to steer the agent toward search/load when requests
match skill trigger phrases
Tool execution no longer waits for the full streamed assistant text. We now detect the first explicitly closed top-level JSON object, freeze that snapshot as the canonical tool request, and stop the model stream there for dispatch.
To make that safe, DirtyJson completion semantics are tightened so completed=true only means the root object was explicitly closed, not that parsing hit end of file. I also restricted the new extraction path to object roots only, since tool calls are always brace-delimited objects, and added tests for parser completion and early stream stop.
Track parsing depth via _pop_stack() helper. Exposes a 'completed' flag that signals when the root JSON structure is fully closed, allowing stream consumers to break early instead of waiting for irrelevant tokens.
`find_plugin_dir` can return `None` if a plugin cannot be found. Passing
this null value to `files.get_abs_path` caused crashes during config
retrieval. `get_plugin_config` and `get_default_plugin_config` now check
for a valid directory and return early if it is missing.
- Extract UI server setup into UiServerRuntime class with modular initialization
- Move environment configuration, route registration, and transport handlers to helpers/ui_server.py
- Add released_at timestamp tracking for git tags and branch heads across update system
- Implement get_current_major_main_latest_info to find latest same-major version on main branch
- Add major_upgrade_versions and main_branch_latest fields to update info payload
- Remove
Ensure printed output and HTML logs are safe by importing and applying sanitize_string, opening log files with utf-8 and errors='replace', and sanitizing text before writing. Add tests to verify lone surrogate characters are replaced and that logging won't crash on invalid Unicode. In the plugin installer UI, introduce POPULAR_PLUGIN_MIN_STARS and centralize popularity checking in _isPopularPlugin, using it for filtering and counts.
- Consolidate ConnectionIdentity, _ws_debug_enabled(), ws_debug() into ws.py as single-source exports, removing duplicate definitions in ws_manager.py and state_monitor.py
- Make send_data() optional args keyword-only to prevent positional argument confusion with the instance method signature
- Fix clear_plugin_cache in plugins.py: wrong parameter name (event_name → event_type) and stale namespace (/webui → /ws)
1. Extract _collect_results method — Deduplicated ~30 lines of identical result processing from route_event and process_client_event (Exception→error / WsResult→as_result / dict→wrap / None→strategy branch) into a private method with a skip_none parameter.
* route_event calls _collect_results(skip_none=False) — None becomes ok=True (server-initiated, callers expect a result for every handler)
* process_client_event calls _collect_results(skip_none=True) — None is skipped (client-initiated, matching legacy _dispatch fire-and-forget semantics)
2. Document None semantics difference — Added # NOTE: comment at the route_event call site explaining why skip_none=False differs from process_client_event.
3. Unify _timestamp() usage — Replaced inline timestamp formatting in _wrap_envelope and handle_connect with self._timestamp() method reuse.#
- Fix Memory Leaks: Resolved SID retention in _known_sids after disconnection and cleaned up unreferenced broadcast tasks in _schedule_lifecycle_broadcast.
- Unify Dispatching Paths: Unified client and server event dispatching through the process_client_event() method to ensure diagnostic consistency.
- Optimization & Cleanup: Expanded the _OPTION_KEYS whitelist, removed dead code (iter_event_types), and deleted unused websocket exports.
- Robustness: Added handling for None responses in process_client_event to prevent cluttering responses with empty results.
- Testing: Added test cases to verify SID TTL expiration and stale SID cleanup on disconnect.
Add display_version to get_repo_version_info output that shows tag+commits (e.g. "v1.11+9") for development builds. Update self-update UI to prefer display_version over short_tag for current version display. Add describe field to modal when it differs from short_tag. Add test coverage for display_version generation on non-main branches.
Defer `from helpers import subagents` to function scope in get_webui_extensions and _get_extension_classes to prevent circular import issues. Remove module-level subagents import.
- Add trigger_self_update.sh to executable permissions in Dockerfile
- Add trigger-update command mode to self_update_manager.py with argparse CLI
- Add queue_update_request helper to write trigger file with normalized parameters
- Add parse_selector_version, is_valid_selector_tag, is_supported_selector_tag helpers
- Add get_latest_same_major_tag to resolve "latest" within current major version line
- Add ensure
Replace sync_self_update_runtime_files with durable_self_update_supports_latest that checks whether the durable updater supports the "latest" selector by inspecting manager source code for LATEST_SELECTOR_TAG and resolve_requested_target. Check durable manager first, fall back to repo manager if missing. Block "latest" selection in schedule_update and hide it from get_selector_tag_options when durable updater lacks support.
- Add _get_remote_branch_names helper to fetch available branches via git ls-remote with caching
- Add _get_local_origin_branch_names fallback for offline scenarios
- Add get_available_branch_values and get_available_branches to expose filtered branch list
- Add _is_excluded_self_update_branch helper to filter out HEAD, PR branches
- Add _sort_branch_names to deduplicate and sort branches with main first
- Add
- Add get_current_branch_latest_info helper to fetch and format latest version info for current branch
- Add _format_branch_head_version helper to format version display (tag only for main, tag+commits for other branches)
- Include current_branch_latest in get_update_info response
- Replace single current version card with two-column grid showing current and latest versions
- Move last attempt status
- Add LATEST_SELECTOR_TAG constant and is_latest_selector_tag helper to identify "latest" selection
- Add split_describe_version helper to parse git describe output into tag and commit count
- Replace fetch_release_refs with resolve_requested_target that handles both specific tags and "latest" resolution
- For main branch, resolve "latest" to newest reachable release tag
- For testing/development branches
- Update default backup path from /a0/tmp/self-update-backups to /root/update-backups in self_update_manager.py, helpers/self_update.py, and documentation
- Move aiogram from global requirements.txt to plugin-local requirements for _telegram_integration
- Add ensure_dependencies() helper that installs aiogram on-demand via uv pip install
- Add has_aiogram() check to avoid
- Add ready branch to Docker publish workflow alongside testing and main
- Replace tag search/autocomplete UI with standard select element preloaded with current major version tags
- Add get_selector_tag_options helper that filters tags to current major line and returns list of higher major versions available
- Show attention banner with Docker update guide link when newer major versions exist on selected
- Change update check API endpoint from api.agent-zero.ai to tapi.agent-zero.ai
- Move self-update modal opening logic from inline handler to store method
- Add openModal method to self-update store for centralized modal management
- Import self-update store in backup settings component
- Replace closeModal window method call with imported closeModal function
- Add SELF_UPDATE_MODAL_PATH constant for consistent
- Add _get_remote_branch_merged_tags to fetch tags from official repo via temporary bare clone
- Add _remote_branch_tag_cache with 60-second TTL to reduce redundant fetches
- Add _get_official_remote_url helper for consistent remote URL construction
- Rename existing _get_branch_merged_tags to _get_local_branch_merged_tags
- Update _get_branch_merged_tags to prefer remote tags with fallback to local
- Add REMOTE_BRANCH_TAG_CACHE_TTL_SECONDS constant
- Add tag verification in schedule_update before accepting update requests
- Check if selected tag exists on target branch via get_available_tags
- Add tagExistenceWarning computed property to display branch-specific errors
- Add tagExistenceChecked state flag to track validation status
- Implement onTagBlur handler to validate tag on input blur
- Add frontend validation in scheduleUpdate before API submission
- Change tag dropdown clicks from @
- Change version tag format from `v{epoch}.{major}.{minor}.{rest}` to `v{major}.{minor}`
- Raise minimum selector version from v0.9.9 to v1.0
- Update tag parsing to require exactly two version segments
- Add numeric sorting for version tags (e.g., v1.10 > v1.9)
- Update major version compatibility check to compare first number only
- Improve validation messages: "vX.Y.Z" → "vX.Y", add "v1.0 or newer" requirement
- Clear default
- Refactor API key management: move from global env-only to per-model config with dotenv fallback
- Add API key placeholder masking and reveal functionality in WebUI
- Consolidate API key validation logic into `has_provider_api_key()` helper
- Improve update system: add branch filtering for tags, simplify backup naming
- Add branch detection to version info and default to current branch for updates
- Extract configure model settings link to constant
