Releases: BackendStack21/odek
Release list
v1.11.0
What's New
Configurable LLM tool list
You can now control exactly which tools odek exposes to the LLM, across every entry point (run, continue, repl, serve, telegram, subagent, schedule, and mcp).
Configuration layers (highest priority wins):
--tool <name>/--no-tool <name>CLI flagsODEK_TOOLS_ENABLED/ODEK_TOOLS_DISABLEDenvironment variables~/.odek/config.json./odek.json(disabled list only, for security)
Example: run a chatbot that can only search the web and read files:
odek run --tool web_search --tool read_file "find me the latest Go release notes"Notes:
enabledis a whitelist;disabledis a blacklist.- Empty or missing
enabledmeans "all tools" (backward compatible). - MCP tool names use the
<server>__<tool_name>format. - Telegram always keeps
send_messageandclarifyavailable so the bot can respond and ask for clarification.
Fixes
- Stopped
odek config initfrom generating an emptytools.enabledwhitelist that would disable every tool on first use. - Ensured tool filtering applies to MCP tools as well as built-in tools.
- Corrected the
odek.Config.ToolFilterdocumentation to match actual behavior. - Added explicit errors for
--tool/--no-toolflags missing their values inodek serve. - Made whitelist tool ordering deterministic.
Behind the scenes
- Removed unused
sliceContainshelper. - Removed stale "RED test" comments now that the feature is implemented.
- Cleaned up
filterBuiltinToolssignature. - Added tests for serve-mode tool flag parsing.
PRs
- fix(danger): tighten paraphrased-exfiltration regex to stop AGENTS.md false positive by @jkyberneees in #45
- feat(tools): configurable LLM tool list by @jkyberneees in #46
Full Changelog: v1.10.3...v1.11.0
v1.10.3
Release v1.10.3
This patch release hardens the internal/danger classifier and closes coverage gaps identified during AI verification of v1.10.2 / PR #43.
What's changed
- Hardened
chmodsetuid/setgid detection- Symbolic modes using
=(e.g.chmod u=rws,chmod a=rwxs) are now correctly classified assystem_write, closing a bypass of the existing+s/ octal-mode detection.
- Symbolic modes using
- Extended classifier coverage (PR #43)
- File-mutating commands targeting system paths (
/etc,/usr,/bin, …) now escalate tosystem_writeinstead of auto-allowing aslocal_write. chmodsetuid/setgid (u+s,g+s,4755, …) is nowsystem_write.- Added destructive-disk tools (
wipefs,blkdiscard,sgdisk,cryptsetup, etc.),shredtarget-aware handling, and machine power-control commands (shutdown,reboot,halt,poweroff). - Piping untrusted output into non-shell interpreters (
| python,| perl,| node, …) is nowcode_execution.
- File-mutating commands targeting system paths (
- Injection scanner expansion (PR #43)
- New patterns for concealment instructions, forged chat control tokens / role markers, and data-exfiltration beacons.
- Code-quality fixes
- staticcheck QF1001 cleanup in
isAssignment. - Checked
devnull.Close()error in test cleanup.
- staticcheck QF1001 cleanup in
Assets
Pre-built binaries are attached for Linux and macOS (amd64 + arm64). Verify with checksums.txt.
v1.10.2
v1.10.1
What's Changed
- Security hardening: fix high/medium/low findings (#50-#76) by @jkyberneees in #42
Full Changelog: v1.10.0...v1.10.1
v1.10.0
What's Changed
- security: harden user-input attack surface (#50-#59) by @jkyberneees in #41
Full Changelog: v1.9.0...v1.10.0
v1.9.0
What's Changed
- feat(schedule): schedule-specific dangerous policy override by @jkyberneees in #40
Full Changelog: v1.8.0...v1.9.0
v1.8.0
What's Changed
- fix: file-tool security vulnerabilities by @jkyberneees in #37
- Security hardening: 30 exploitable vulnerabilities (batches 1–7) by @jkyberneees in #38
- Security hardening: sandbox, config, MCP, sessions, Telegram, schedule, skills/episodes, vector indexes by @jkyberneees in #39
Full Changelog: v1.7.0...v1.8.0
v1.7.0
Highlights
odek v1.7.0 is a security-and-resilience release: it hardens the agent against several real-world failure modes (infinite hangs, prompt-injection-driven escalation, SSRF, a serve-mode deadlock) and adds conversational continuity for scheduled tasks. Everything here is backwards-compatible — no config changes required.
🔒 Security hardening
- No more sandbox escape via
~/.odek/. A confined/untrusted sub-agent could previously rewrite its ownconfig.json(disable the sandbox, enable YOLO mode), drop an auto-loadedSKILL.md, or overwrite shell rc files. Those trust anchors are now protected and the write tools are confined. (#30) - SSRF & DNS-rebinding blocked. Web/HTTP tools now re-check the resolved IP at dial time and refuse internal targets (cloud metadata
169.254.169.254,10.x,192.168.x, IPv6 ULA), closing the gap where a hostname that looks external resolves to an internal address. (#31)
🛡️ Reliability & recoverability
- The browser approval prompt works again. A serve-mode deadlock made every Web UI approval time out and get denied; fixed, along with a data race that could crash
serveunder parallel tool calls. (#32) - Tools can no longer hang the agent forever.
shell(and the other long-running tools) now honor a timeout and Ctrl-C / turn cancellation — a stuck command is killed instead of wedging the session. (#34) - Sturdier LLM calls & durable state. Secondary LLM calls now retry, rate limits honor
Retry-After, and session/memory writesfsyncbefore rename so a crash can't lose your latest turn. (#34) - Crash-safe batch tools. Centralized the batch-tool parallelism behind one panic-recovering helper — a single bad input can no longer take down the whole agent. (#33)
✨ New
- Scheduled tasks now feed back into the conversation. When a scheduled job posts its result to a Telegram chat, that exchange is recorded into the chat's session — so you can follow up ("what did that scheduled task find?") and the agent remembers. The run itself stays isolated and deterministic. (#35)
🩹 Fixes & docs
- Fixed
/neworphaning the per-chat mutex and raised the sub-agent stdout scan cap. (#29) - Brought the landing-page IDENTITY.md example in line with the shipped system prompt (incl. the prompt-injection detection section). (#36)
What's Changed
- fix(concurrency): stop /new orphaning per-chat mutex; raise sub-agent stdout scan cap by @jkyberneees in #29
- fix(security): close ~/.odek/ write carve-out privilege escalation by @jkyberneees in #30
- fix(security): add dial-time IP guard to stop SSRF / DNS-rebinding by @jkyberneees in #31
- fix(serve): break approval deadlock + race in wsApprover by @jkyberneees in #32
- perf(tools): centralize batch parallelism with panic-safe helper by @jkyberneees in #33
- fix: tool resilience & crash-durable persistence (5 fixes) by @jkyberneees in #34
- feat(schedule): record delivered Telegram results into the chat session by @jkyberneees in #35
- docs(site): bring the IDENTITY.md example up to date with the system prompt by @jkyberneees in #36
Full Changelog: v1.6.0...v1.7.0
v1.6.0
What's Changed
- Centralized embedding backend: semantic memory, session_search & skill matching by @jkyberneees in #28
Summary
Centralized Embedding Backend
All embedding functionality is now consolidated into a new internal/embedding/ package, shared across semantic memory, session search, and skill matching. Previously each subsystem managed its own embedding logic independently.
Changes by Area
New internal/embedding/ package
- Unified embedding client with HTTP backend support
- Featurization helpers moved from
internal/memory/ - Comprehensive edge-case tests
Skill Matching (internal/skills/)
vector_matcher.goextended to use the centralized embedding backend- New HTTP integration tests (
vector_matcher_http_test.go)
Session Search (internal/session/)
vector_index.gorefactored to delegate to the shared embedding backend- New HTTP integration tests (
vector_index_http_test.go)
Memory (internal/memory/)
embedder.gosignificantly slimmed down — now a thin wrapper over the centralized backend- Mock added for unit testing without a live embedding server
Config (internal/config/)
- New
loader.gowith tests for embedding backend configuration
Docker
docker-compose.yml,Dockerfile.embeddings,.env.example, and config files updated to reflect the new backend setup
Docs
- New
docs/LEARNING.md docs/CONFIG.mdexpanded with embedding backend configuration referencedocs/MEMORY.md,docs/SESSIONS.md, and Docker guide updated
Full Changelog: v1.5.0...v1.6.0
v1.5.0
What's Changed
- fix(loop): deliver recovered tool-panic message to the LLM + review cleanups by @jkyberneees in #26
- feat(memory): pluggable semantic embeddings via go-vector v1.3.0 by @jkyberneees in #27
Full Changelog: v1.4.0...v1.5.0