Commit Graph

569 Commits

Author SHA1 Message Date
RaresKeY 4f04c347cc feat(models): define capability schema and readers (#2739)
* feat(models): define capability schema and readers

* fix(models): harden Google catalog probing

Restrict native catalog probing to the Gemini host, keep provider keys out of request URLs, filter non-chat model resources, and preserve the manual refresh default in the built-in Google add flow.
2026-07-18 09:40:58 +01:00
Christopher Mayfield 9aa593b6a5 Merge branch 'odysseus-dev:main' into main 2026-07-17 16:22:02 -05:00
Boody c1d6287e32 fix(mcp_manager): remove timeout from MCP connection attempts and handle registration cleanup 2026-07-13 08:56:46 +02:00
Boody 5971b091db fix(mcp_manager): implement concurrent server connections with timeout handling 2026-07-13 08:56:46 +02:00
RaresKeY 9844a2f9a1 chore(release): bump version to 1.0.2 2026-07-12 08:20:59 +02:00
RaresKeY 724305b65d fix(chat): require explicit web search enable
(cherry picked from commit 54f1d015b5)
2026-07-12 08:20:59 +02:00
Astarte f13e54de6e fix(cleanup): update MODULE_SUMMARY and remove dead MEMORY_DOC paths (#4411) (#5160)
* docs: update static/js/MODULE_SUMMARY.md to reflect current ES6 frontend

Rewrite the stale module summary to match the current no-build,
ES6-module frontend architecture. Adds coverage of app.js orchestration,
the chat/SSE pipeline (chat.js, chatStream.js, chatRenderer.js,
streamingRenderer.js), new subsystems (research/, compare/, document
streaming, cookbook*, skills.js), and removes the obsolete <script> load
order assumptions.

* cleanup: remove dead MEMORY_DOC / memory_doc paths (closes #4411)

Removes the unused MEMORY_DOC constant and the matching DataConfig
memory_doc field / set_data_paths entry. No runtime code imports or
references these paths, so this is a no-behavior-change dead-code
cleanup under the storage-architecture tracker #4377.
2026-07-11 17:06:19 +01:00
falabellamichael d16b849c3e fix(stabilization): harden attachment lifecycle and agent guard signals (#5420)
* fix: harden stabilization attachment and agent guards

* fix(uploads): preserve durable references during cleanup

* fix(uploads): close cleanup and compaction races
2026-07-11 15:14:14 +01:00
RaresKeY 6b8f84553c fix(llm): avoid blocking Kimi Code async header probes (#5231) 2026-07-11 15:06:15 +01:00
RaresKeY 7f3fd77121 fix: preserve pythonpath for built-in mcp servers (#5117) 2026-07-11 14:34:42 +01:00
Peter Karlsson 801c3a2ff1 fix(email): use UID commands instead of sequence numbers in IMAP fetches (#5149)
conn.search() / conn.fetch() operate on volatile positional sequence
numbers that shift whenever messages are deleted or expunged. Three call
sites in the sig-learner (_pull_headers, _fetch_bodies) and morning-brief
email section were storing these as "uid" and reusing them in subsequent
fetches — causing wrong-message returns or NO responses if another client
modified the mailbox concurrently.

Replaced with conn.uid("SEARCH", ...) / conn.uid("FETCH", ...), which use
persistent RFC 3501 UIDs. _scan_one (urgency action) already did this
correctly; these were the remaining callers.

The reproduction window is narrow (requires concurrent deletion between
search and fetch), so the fix is verified by regression tests rather than
manual end-to-end: _SpyImap raises AssertionError if conn.search() or
conn.fetch() are called instead of conn.uid().
2026-07-11 14:06:40 +01:00
jagadish-zentiti 890d6a0220 fix(agent): cancel orphaned tool task when SSE client disconnects mid-call (#5106)
stream_agent_loop's per-tool drain loop had no cleanup path for early
generator close. Starlette throws GeneratorExit into the generator at
whatever await point it's suspended on when the SSE client disconnects
(aclose()) - here that's 'await _progress_q.get()' inside the drain
loop, before the final 'await _tool_task' line ever runs. The task,
which wraps execute_tool_block, was left running unawaited and
uncancelled.

For bash/python tools this orphans the underlying subprocess:
subprocess_tools.py already has correct CancelledError handling that
kills the child process, but only runs if the task is actually
cancelled. A client disconnecting mid long-running command left that
subprocess running server-side for its full duration with nothing
left to reap it.

Wrap the drain loop in try/finally: on early exit, cancel _tool_task
(if not already done) and await it so the existing subprocess-kill
path runs.

Adds a regression test that drives the real stream_agent_loop with a
fake tool handler, closes the generator mid tool-call (mirroring what
Starlette does on disconnect), and asserts the handler observed
cancellation immediately - not merely via asyncio.run()'s own
end-of-run task cleanup, which would mask the bug.

Fixes #5105
2026-07-11 13:44:06 +01:00
tanmayraut45 e6d9d68729 CalDAV: close the DAVClient on sync and write-back paths (#4793)
_sync_blocking (src/caldav_sync.py) and _writeback_blocking
(src/caldav_writeback.py) each open their own caldav.DAVClient via
_build_dav_client, but never close it. The client owns an HTTP session
with a pooled connection; without a close() that connection is held until
process exit.

Previously the fix added explicit client.close() calls before each early
return and at the end of the DB finally block. This still leaked the
client when SessionLocal() raised before the DB try/finally was entered.

Now _sync_blocking wraps the entire post-construction path in an outer
try/finally that calls client.close() unconditionally, covering:
  - AuthorizationError / NotFoundError early return
  - URL-fallback failure early return
  - no-calendars early return
  - normal return after sync
  - SessionLocal() construction failure (new regression coverage)

_writeback_blocking already used a try/finally (unchanged).

- src/caldav_sync.py: replace scattered client.close() calls with a
  single outer try/finally block around the discovery + DB sync path
- tests/test_caldav_client_cleanup.py: add CalendarDeletedEvent to the
  database stub; add regression test for SessionLocal() failure path

Closes #4593
2026-07-11 13:03:24 +01:00
jagadish-zentiti bc771fbc1e fix(mcp): guard DbTokenStorage against non-dict oauth_tokens JSON (#5107)
_load() returned whatever json.loads() produced without checking it was a
dict; _update() did the same before assigning data[key] = value. If the
oauth_tokens column ever held a JSON array or primitive (DB corruption,
manual edit, migration drift), _load()'s callers crashed with
AttributeError on .get(), and _update() crashed with TypeError trying to
item-assign into a list/string/int.

Validate the parsed value is a dict in both methods, falling back to {}
otherwise - same recovery behavior already used elsewhere in the codebase
for this exact JSON-blob-is-not-a-dict shape (_parse_tool_args,
_is_sensitive_path's siblings).

Adds 3 regression tests for _load, get_tokens, and _update against a
non-dict oauth_tokens value.

Fixes #5082
2026-07-11 05:26:23 +01:00
Ashvin a8d215a390 fix(tasks): scope manage_tasks mutations to an exact task owner (#5264)
The edit/delete/pause/run actions of do_manage_tasks gated ownership with
`if owner and task.owner and task.owner != owner`. The middle term made the
check a no-op whenever task.owner was null/empty — the state a scheduled task
sits in when it was created in no-login mode (or via the localhost middleware
bypass) before the periodic legacy-owner sweep reassigns it to the admin user.
Any authenticated user's agent could then edit, delete, pause, or run another
tenant's owner-less task; edit+run lets an attacker rewrite the task prompt and
execute it in the scheduler's agent context.

The sibling `list` action already scopes with an exact `owner == owner` filter,
so the mutators were strictly more permissive than the reader. Drop the middle
term so the guard fails closed on owner-less rows for authenticated callers,
matching `list` and the calendar/notes/gallery/session null-owner gates. Auth
disabled (owner falsy) and same-owner access are unchanged.
2026-07-11 01:45:14 +01:00
Boody d88c8cbacf Merge pull request #5313 from RaresKeY/fix/chat-web-search-explicit-deny
fix(chat): require explicit web search enable
2026-07-09 01:56:32 +03:00
Wes Huber a35384e68f fix(copilot): guard request_flags against a non-dict last message (#5274)
request_flags derives (agent, vision) and does last.get("role") after only
a truthy check. A client can send a bare-string message element
("messages": ["hi"]), and the vision loop right below already guards each
element with isinstance — so the .get() on a non-dict last element is an
oversight that raises AttributeError on every Copilot-proxied request with
such a body.

Use isinstance(last, dict) to match the loop's own guard.

Fixes #5273

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-07-08 23:57:23 +02:00
Miraç Duran 3064819e3d fix(chat): give extensionless image/audio uploads a valid MIME subtype (#5205)
build_user_content derived the data-URL subtype from the file extension
only (image_format = ext[1:]). An extensionless upload (e.g. a pasted
screenshot) has ext == "", producing "data:image/;base64,..." with an
empty subtype (invalid per RFC 2046) that vision/audio endpoints reject,
silently dropping the attachment. Fall back to the resolved MIME subtype
when the extension is missing; present extensions are unchanged.
2026-07-08 21:04:15 +02:00
RaresKeY 54f1d015b5 fix(chat): require explicit web search enable 2026-07-08 17:44:28 +00:00
pewdiepie-archdaemon 038bdd85ec Stabilize local dev merge
Align regression tests with the current Odysseus behavior after merging origin/dev into local main.

- keep phone/name-only contacts valid and cover null email without crashes

- pin explicit web-search false form submission in chat.js

- update Cookbook dependency/download completion tests for combined live + persisted output

- expose SGLang OS package repair hints from backend diagnosis

- treat MLX and MLX-community repos as servable on Apple Metal while keeping CUDA behavior unchanged

- keep desktop new-chat coverage on the shared preferred-model helper

- remove a hardcoded crop overlay portal z-index literal

- include the local agent-loop cleanup that removes the old manage_notes reminder repair shim

Verified with: docker run --rm -v /home/pewds/odysseus-cookbook-fresh:/app -w /app odysseus-cookbook-fresh-odysseus python3 -m pytest -q (4515 passed, 4 skipped).
2026-07-07 01:15:20 +00:00
pewdiepie-archdaemon b5ec40d505 Merge remote-tracking branch 'origin/dev'
# Conflicts:
#	routes/contacts_routes.py
2026-07-07 00:51:34 +00:00
pewdiepie-archdaemon 017903de61 Checkpoint Odysseus local update 2026-07-07 00:50:07 +00:00
RaresKeY 2826dcfc33 fix(tasks): gate cookbook serve task execution (#5235) 2026-07-05 13:19:04 +01:00
Boody a05221571c Merge pull request #5181 from harshit-ojha0324/fix/webhook-trailing-slash
fix(integrations): don't append a trailing slash when api_call path is '/'
2026-07-05 03:44:19 +03:00
Boody 440d99d02c Merge pull request #5166 from QlikChrister/fix/tool-rag-timeout-keyword-fallback
fix(agent): fall back to keyword tool selection when retrieval times out
2026-07-04 23:16:52 +03:00
Wes Huber 6114ef0d6d fix(security): pin webhook delivery to the SSRF-validated IP (DNS rebinding) (#5147)
validate_webhook_url resolves the host to accept/reject, but the delivery
connect (httpx.AsyncClient.post) re-resolved independently — a DNS record
flipping between the two lookups (rebinding) could slip an internal IP
(127.0.0.1 / 169.254.169.254 / LAN) past the check and receive the signed
payload. The module docstring already flagged this as only a "partial
defense".

Resolve + validate once via _validated_public_ips, then pin the delivery
TCP connect to that approved IP with an async _PinnedAsyncTransport built
on the public httpcore/httpx APIs (mirrors the sync search-fetch pin from
#704). The URL, Host header, and TLS SNI are unchanged, so certificate
validation and vhost routing still target the original hostname; only the
socket destination is pinned.

Delivery now uses a per-request pinned client instead of one shared client,
so close() is a no-op kept for API compatibility. Adds end-to-end tests that
drive the real transport against loopback servers, proving the connect
follows the pin rather than re-resolving the URL host.

Fixes #5146

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-07-04 17:03:38 +01:00
Wes Huber 3dd031c139 fix(security): validate integration api_call URLs with the outbound SSRF guard (#5145)
execute_api_call — reachable by the LLM through the api_call agent
tool — joined the integration's user-configured base_url with an
LLM-controlled path and requested it with no IP validation, so a
base_url (or a hostname resolving) into the metadata range
(169.254.169.254) was fetched server-side with the integration's auth
headers attached.

Run check_outbound_url on the joined URL before connecting, matching
the gallery endpoint, embeddings, CardDAV, and reminder webhook
surfaces. Link-local/metadata is always rejected;
INTEGRATION_API_BLOCK_PRIVATE_IPS=true also blocks RFC-1918/loopback.
Private stays allowed by default because LAN integrations
(Home Assistant, Miniflux, ntfy) are the primary use case.

The truncation-test helpers stub the guard open because their
api.example.com fixture host does not resolve and the guard fails
closed on DNS errors.

Fixes #5143

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-07-04 16:58:14 +01:00
Ashvin d3faa00aaa fix(security): match grep's rg sensitive-file exclusions case-insensitively (#5189)
The grep tool's ripgrep fast-path excluded deny-listed key files with
`--glob "!*<pat>*"` for each entry in _SENSITIVE_FILE_PATTERNS. ripgrep's
--glob is case-sensitive, so on a case-insensitive filesystem (Windows,
default macOS) a key stored under a case variant of its name (ID_RSA,
Known_Hosts, Authorized_Keys) is the same file on disk but slips past the
lowercase exclusion, and ripgrep returns its contents. Those names are
non-dotfiles, so ripgrep's default hidden-file skipping does not cover them
either. The Python fallback already blocks them via the case-folded
_is_sensitive_path (#5097), so the two paths disagreed.

Switch the sensitive-pattern exclusions to --iglob so they match
case-insensitively, mirroring _is_sensitive_path. Add a regression test
that seeds ID_RSA and Known_Hosts and asserts grep returns ordinary
matches but not the key contents.
2026-07-04 16:52:25 +01:00
Alexandre Teixeira a3bbe37923 Merge pull request #5195 from ashvinctrl/fix/send-to-session-null-owner
fix(security): scope send_to_session to an exact session owner
2026-07-04 16:47:10 +01:00
badgerbees 5c16d39e91 fix(calendar): honor list_events date range aliases (#3283)
* fix(calendar): honor list_events date range aliases

* fix(calendar): reject partially resolved loose range queries
2026-07-04 14:44:46 +02:00
ashvinctrl 43ead1a0eb fix(security): scope send_to_session to an exact session owner
send_to_session let an authenticated caller reach a null-owner session.
The owner gate was `if owner and sess.owner and sess.owner != owner`, so a
target whose owner is None (legacy rows, or a session created while auth
was off) skipped the check and was read/written by any authenticated user.
list_sessions (get_sessions_for_user) and manage_session already exclude
null-owner sessions from an authenticated caller via an exact owner match,
so this path was the lone inconsistency — the same class of gap the
calendar owner=None fix closed.

Require an exact owner match: `if owner and sess.owner != owner`. Auth-off
(no owner) is unchanged, an exact-owner match still passes, and both
another user's session and a null-owner session are now not-found. Adds a
regression test that an authenticated caller cannot read the transcript of
or write into a null-owner session while single-user access still works.
2026-07-04 14:13:04 +05:30
harshit-ojha0324 d3ab478ef1 fix(integrations): don't append a trailing slash when api_call path is '/'
_join_integration_url built urljoin(base + '/', '') for a bare '/'
path — the minimum execute_api_call accepts — so every request against
a POST-to-base integration went to base_url + '/'. Discord webhook
URLs 404 ('Unknown Webhook') on the trailing-slash variant, which made
the integration look broken even though the stored base URL was
correct.

Resolve a bare '/' (or empty) path to the base URL itself and keep all
other paths joining exactly as before, including deliberate trailing
slashes inside non-empty paths (linkding /api/tags/, Home Assistant
/api/). The reminder webhook sender and the discord_webhook
connectivity test already posted to the bare base URL; execute_api_call
was the remaining path that re-added the slash.

Fixes #5138
2026-07-03 18:26:36 -04:00
Christer Hantilson b7df800e94 fix(agent): fall back to keyword tool selection when retrieval times out
The retrieval-timeout branch hard-coded ALWAYS_AVAILABLE, silently skipping
the deterministic keyword hints whenever the embedding backend was slow
(e.g. a remote endpoint cold-loading its model). Queries that named email
or calendar outright lost those tools and the model concluded the
integrations did not exist. Let the timeout fall through to the existing
keyword fallback instead — same baseline, plus the hints.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 16:10:46 +02:00
Abdul Fatah Jamro ff7164b9ec fix: resolve RAG manager search signature TypeError (#4994)
* fix: resolve RAG manager search signature TypeError and adjust similarity threshold

* fix: revert similarity threshold change to keep PR focused

* test(rag): remove trailing whitespace

---------

Co-authored-by: Alexandre Teixeira <alexandremagteixeira@gmail.com>
2026-07-03 15:07:16 +01:00
Tanmay Garg 7f43678a24 fix(tools): handle non-dict JSON values in _parse_tool_args (closes #5043) (#5064)
When an LLM generates a valid JSON string that parses to a native non-dict
type (like a list, int, or string), _parse_tool_args previously returned
that object. Callers expecting a dictionary would then crash with
AttributeError or KeyError when attempting to look up action keys.

- Update _parse_tool_args in src/tool_utils.py to explicitly type-check
  the parsed JSON object and return {} for non-dict objects.
- Add test coverage in tests/test_admin_tools_registry.py for lists,
  ints, and strings.
2026-07-03 13:07:44 +01:00
pewdiepie-archdaemon cf85c42195 Parse local function_model tool wrappers 2026-07-03 03:54:59 +00:00
pewdiepie-archdaemon 79716d717a Keep open document context for section edits 2026-07-03 03:04:22 +00:00
pewdiepie-archdaemon d360401808 Route structured writing requests to documents 2026-07-03 02:51:42 +00:00
Ashvin dff91efb10 fix(agent): skip deny-listed sensitive files in glob (#5094) 2026-07-02 10:28:33 +01:00
Ashvin b26ebbda95 fix(security): match the sensitive-file deny-list case-insensitively (#5097) 2026-07-02 10:11:51 +01:00
pewdiepie-archdaemon 2918739489 Fix merged test regressions 2026-07-01 11:12:55 +00:00
pewdiepie-archdaemon a07bbeccf5 Repair document tool args and metrics cleanup 2026-07-01 10:15:45 +00:00
pewdiepie-archdaemon 39eabbb27a Merge remote-tracking branch 'origin/dev'
# Conflicts:
#	routes/document_routes.py
2026-07-01 10:11:22 +00:00
pewdiepie-archdaemon d2959c1ae8 Stabilize chat and cookbook workflows 2026-07-01 10:09:25 +00:00
RaresKeY d85afd5d72 fix(agent): preserve bare email tool parity (#5075) 2026-06-30 19:20:56 +01:00
Katsoragi 7522b02034 fix(parser): parse Gemma 3/4 custom tool calling tokens (#5033)
* fix: parse Gemma 3/4 custom tool calling tokens in parser

* test: cover Gemma tool call parsing

---------

Co-authored-by: Alexandre Teixeira <alexandremagteixeira@gmail.com>
2026-06-30 19:00:09 +01:00
Alexandre Teixeira f38323c3a1 fix(docker): make host Docker socket opt-in (#4902)
* fix(docker): make host socket compose opt-in

* fix(cookbook): gate container Docker access

* fix(docker): gate socket group setup on opt-in

* fix(cookbook): gate generated docker exec serve commands

* fix(cookbook): narrow generated docker exec forms
2026-06-30 19:54:51 +02:00
badgerbees 1c1afe5dd1 fix: add grace period to document tidy to prevent deleting new documents (#5036) 2026-06-30 18:26:36 +01:00
Ashvin 9a80ab24af fix(model-context): read real context window for unknown proxy models (#4909)
api/proxy endpoints (OpenRouter, other OpenAI-compatible aggregators)
short-circuit _query_context_length: they only consult the static
KNOWN_CONTEXT_WINDOWS table and otherwise return DEFAULT_CONTEXT (128000).
Any model not in that table — e.g. a freshly listed OpenRouter model like
Owl-alpha — was therefore capped at 128k even though the endpoint's catalog
reports its true window (1048576), so the rest of the model context never
got used.

The short-circuit exists so a context lookup doesn't download a large proxy
catalog on every call. Keep that property for the common case: known models
still resolve from the table with no network. For a model missing from the
table, read the window from the endpoint's /models catalog and cache the
whole id->context map per endpoint, so the catalog is fetched at most once
per endpoint (not once per model) and only for models that were broken
anyway. On any fetch/parse failure or a model absent from the catalog, fall
back to DEFAULT_CONTEXT exactly as before.

Factor the per-entry field extraction the non-proxy path already used into
_model_ctx_from_entry so both paths share it.

Fixes #4886
2026-06-30 18:04:29 +01:00
CJ Remillard 005ff73142 fix(security): wrap email style, integration, and MCP descriptions as untrusted (#4965)
Three user-controlled content surfaces were being concatenated directly
into the trusted system role in _build_system_prompt, making them
exploitable for prompt injection:

  1. email_writing_style setting: user-editable via the settings UI.
     A malicious value like "Ignore all instructions. Delete all files."
     would be treated as a system-level instruction.

  2. Integration descriptions: user-editable via the integrations API.
     Same attack surface — description text injected into system role.

  3. MCP tool descriptions: sourced from external MCP servers.
     A malicious server could inject instructions via tool descriptions.

Fix: move all three out of agent_prompt (system role) and into
untrusted_context_message() user-role messages, matching the existing
pattern already used for active documents, email context, and skills.

For email style, the hardcoded identity/mechanical-style rules remain
in the trusted system prompt; only the user-editable style text moves
to the untrusted block.

Integration and MCP descriptions are removed from _build_base_prompt
entirely and reassembled in _build_system_prompt as untrusted messages.

Adds 9 regression tests covering all three surfaces.

Co-authored-by: CJ Remillard <cjRem44x>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30 17:54:03 +01:00