Skip to content

chore(deps): bump node from 20-bookworm-slim to 25-bookworm-slim#33

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/node-25-bookworm-slim
Closed

chore(deps): bump node from 20-bookworm-slim to 25-bookworm-slim#33
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/node-25-bookworm-slim

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 17, 2026

Copy link
Copy Markdown
Contributor

Bumps node from 20-bookworm-slim to 25-bookworm-slim.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps node from 20-bookworm-slim to 25-bookworm-slim.

---
updated-dependencies:
- dependency-name: node
  dependency-version: 25-bookworm-slim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 17, 2026
@dependabot @github

dependabot Bot commented on behalf of github Apr 17, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: security. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

revagomes pushed a commit to revagomes/agi-agent-kit that referenced this pull request May 3, 2026
…dev#20)

Fixes all 23 open CodeQL alerts on techwavedev/agi-agent-kit:

Framework code (real risk):
- techwavedev#36 py/command-line-injection: execution/fastapi_tool_bridge.py — replaced
  subprocess.run(cmd, shell=True, ...) with a strict allowlist + argv-list
  invocation (shell=False). Unknown commands are now rejected.

Template boilerplate (shipped to user projects):
- techwavedev#35 py/reflective-xss & techwavedev#17 js/reflected-xss (whatsapp-cloud-api webhook):
  echo the Meta verification challenge with explicit text/plain content-type
  so the reflected value cannot be interpreted as HTML/JS.
- techwavedev#33 py/flask-debug: Flask debug mode is now opt-in via FLASK_DEBUG env var
  (default off) — the Werkzeug interactive debugger must never be exposed.
- techwavedev#34 py/insecure-protocol (claude-monitor/api_bench.py): TLS context now
  enforces minimum_version = TLSv1.2, so benchmarks cannot negotiate SSLv3
  or TLS 1.0/1.1.
- techwavedev#16 js/incomplete-sanitization (ui-ux-pro-max template.ts): YAML frontmatter
  escaping now escapes backslashes BEFORE quotes, fixing the bypass.
- techwavedev#15 js/shell-command-injection-from-environment (ui-ux-pro-max extract.ts):
  shell-based copy fallback replaced with execFile + argv array (no shell).
- techwavedev#9 js/functionality-from-untrusted-source (algorithmic-art viewer.html):
  p5.js CDN include pinned with Subresource Integrity (sha384) and
  crossorigin="anonymous".
- techwavedev#18techwavedev#32 py/clear-text-{logging,storage}-sensitive-data (14 alerts across
  007, whatsapp-cloud-api, instagram skill templates): refactored so bearer
  tokens are never bound to named locals that reach print(); added regex
  _redact() scrubbers at every print/write sink; masked phone numbers as
  PII before logging; removed full-response dumps that echoed the
  Authorization header back on error.

Dependabot hardening (per operator request):
- .github/dependabot.yml now also covers the nested ui-ux-pro-max/cli
  package and Docker images, splits production vs dev npm groups, and
  labels every PR with "security". Weekly cadence retained for pip and
  github-actions. CVE-triggered security updates remain always-on.

All fixes are template-safe and preserve existing CLI behaviour — template
scripts still emit readable diagnostic output, just without the credential
flow paths CodeQL was tracking.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
revagomes pushed a commit to revagomes/agi-agent-kit that referenced this pull request May 3, 2026
* fix: use NPM OIDC trusted publisher instead of token

The publish workflow was failing with NODE_AUTH_TOKEN empty because
the token-based publish is deprecated in favor of NPM OIDC trusted
publishers. Fix:

- Remove NODE_AUTH_TOKEN env var (conflicts with OIDC)
- Upgrade npm to latest (>=11.5.1) for OIDC publishing support
- Keep id-token: write permission and --provenance flag

NPM trusted publisher is already configured on npmjs.com for this
repo. OIDC federates identity from GitHub Actions → NPM, eliminating
the need for long-lived tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: Output Gates + fix skill deduplication (techwavedev#32)

## Output Gates (Bash Validation)
- Parse optional `## Output Gate` section from sub-agent directives
- Emit `validation_gate` with bash command in dispatch manifests
- Orchestrator must run gate and trust stdout over self-reports
- Retry-once-then-user-prompt on failure
- All 6 sub-agent directives wired with gates
- Scenario 11 test added

## Skill Deduplication Fix
- Resolved 13 skill name conflicts in templates/skills/
- Deleted 4 exact-duplicate folders (xlsx, pdf, docx, pptx)
- Fixed 2 mislabeled frontmatter (systematic-debugging, plan-writing)
- Removed 7 cross-source duplicates (superpowers-lab, cross-tier)
- Added deduplicateSkills() post-install validator to init.js

* feat: validate_gate.py, /agi router scripts, new skills, catalog sync (#44)

* feat(gates): add standalone validate_gate.py and wire asset_compiler gate (closes techwavedev#33)

- Implemented standalone Python validator for Output Gates
- Added Output Gate to asset_compiler.md
- Verified scenario 11 passes
- Note: PR techwavedev#32 wired docs and test_generator, this finishes the remaining file-verifiable agents.

* feat: add /agi router scripts, image-ai-generator + resend skills, sync skill catalog

- execution/list_capabilities.py — enumerate installed skills + execution scripts
- execution/resolve_paths.py — dual-path resolution for global/local installs
- execution/route_request.py — route user requests to matching skills/scripts
- skills/image-ai-generator/ — new skill for AI image generation workflows
- skills/resend/ — new skill for Resend email API integration
- skills/SKILLS_CATALOG.md + templates/skills/extended/ — full catalog sync (371 files)

Partial work toward techwavedev#34 (/agi unified router)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: wire resolve_paths into dispatch_agent_team.py for dual-path resolution

dispatch_agent_team.py now imports resolve_file/get_project_root from
resolve_paths.py (with graceful fallback for standalone use), replacing
the inline find_project_root() implementation. Part of techwavedev#34.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: per-run state.json emission + lightweight team-run dashboard (techwavedev#43)

* Initial plan

* feat: state.json emission from dispatch_agent_team.py + lightweight dashboard

- Add execution/team_state.py: helper with update/read/list-active/prune subcommands
- Emit .tmp/team-runs/<run_id>/state.json on every team dispatch
- Update orchestrator instructions to mandate state.json updates per step
- Add dashboard/server.py + dashboard/index.html (vanilla HTML, auto-refresh 2s)
- Update session_wrapup.py to prune old state files via team_state.py prune
- Add scenario 12 (state-observability) to run_test_scenario.py
- Fix store_to_memory warnings to go to stderr (not stdout)

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/ab84de26-8f2d-4071-857b-242dede7a2ac

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* feat: hybrid knowledge base (Qdrant RAG + markdown fallback) (techwavedev#42)

* Initial plan

* feat: implement hybrid knowledge base persistence (Qdrant RAG + markdown fallback)

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* fix: address code review - use SHA-256 for deterministic UUIDs, move imports to module level

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* fix: resolve dispatch_agent_team.py post-merge issues

- find_project_root() → get_project_root() (resolve_paths import)
- load_team_directive: drop unused root param, update call site
- _load_team_state: guard against spec=None before module_from_spec

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: Workflow Engine — execute guided multi-skill playbooks (#45)

* Initial plan

* feat: Workflow Engine — execute guided multi-skill playbooks

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/b1bbb8dc-3c5f-4c65-88c7-d87b2e093b8d

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* feat: implement phase-reset architecture and dynamic team composition

* feat: complete global install mode via init.js and dual-path scripts

* feat: implement skill trigger evaluation (techwavedev#40)

* feat: MoE Swarm Router (NotebookLM Implementation) (#47)

* release: bump version to 1.7.4

* feat(swarm): implement MoE Swarm Router logic for parallel task execution (Closes #46)

* fix(swarm): direct orchestrator handoff and qdrant memory cache hit implementation (#48)

* feat(swarm): inject qdrant context chunks as RAG payload to save tokens (#49)

* feat(gems): create gem factory to build shareable gems and skills (#50)

* feat(eval): implement autonomous ralph feedback loop using local engine (#51)

* feat: core mempalace integration (#57)

- Adds AAAK compression and original payload preservation (closes #52)
- Adds temporal --expire-days filtering (closes #53)

* feat: implement local micro agent pre-store contradiction check (closes #54) (#58)

- Adds point_id extraction to memory chunks
- Hooks local_micro_agent.py dynamically to evaluate conflicting ledger facts

* fix: hybrid_search raw filter pass-through for complex queries (closes #55) (#59)

- Removes restrictive keyword payload matching
- Pipes full Qdrant logic including must_not range conditions

* feat: script to delete un-scoped legacy qdrant items (closes #56) (#60)

* feat: transparent cloud fallback for deterministic agent routing (closes #61) (#62)

- Adds REST execution pathways for gemini-1.5-flash, claude-3-haiku, and gpt-4o-mini
- Automatically parses API keys from local environment bypassing heavy-weight ollama dependencies

* docs: generate marketing release and bump patch to 1.7.5 for mempalace upgrade

* fix: payload passthrough for wing/room/original_text/valid_until in retrieval pipeline

Root cause: hybrid_search._vector_search() and memory_retrieval.retrieve_context()
were both hardcoded to cherry-pick only content/type/project/tags/timestamp from
Qdrant payload results. All spatial, temporal, and zero-loss fields were silently
dropped. Also fixed retrieve command threshold default (0.7 -> 0.45) and removed
stale imports causing UnboundLocalError in contradiction resolver.

* chore: code cleanup, docs update, and safety improvements

- Remove orphaned docstring in local_micro_agent.py run_inference()
- Hoist stale inner imports (time, urllib) to module-level in memory_manager.py
- Move dev-only benchmark/cleanup scripts to .tmp/dev-tools/
- Add dry-run default + --force flag to sweep_legacy_memory.py
- Add docs/execution/memory_manager.md (spatial, AAAK, temporal, contradiction)
- Update docs/execution/local_micro_agent.md with cloud fallback chain
- Update CHANGELOG.md with all v1.7.5 bugfixes from live testing

* fix: complete contradiction resolver pipeline

Two root causes prevented contradiction resolution from working:
1. Empty query string in retrieve_context() produced zero-score vectors
   that fell below threshold, so no existing facts were ever found.
   Fix: use the new content as the search query.
2. Deprecated facts (valid_until set) were never filtered during search.
   Fix: add must_not range filter in hybrid_search._vector_search() to
   auto-exclude points where valid_until <= current time.

* fix: BM25 results now respect Qdrant payload filters (project/wing/room)

BM25 (SQLite FTS5) has no concept of Qdrant payload filters, so unscoped
results leaked into hybrid search when: 1) BM25-only results merged into
vector results without validation, and 2) the BM25-only fallback path
(when vector returns 0) returned results without any filter check.

Fix: Both paths now validate each BM25-only result against Qdrant via
a point lookup before including it. Also fixed the merge path to pass
wing/room/original_text/valid_until through the merged result dict.

* fix(memory): stabilize architecture and resolve 10 deep evaluation bugs for v1.7.5

* fix(secrets): resolve semgrep false positive on .partition() bypassing string split

* fix(security): replace blocked packages trivy and litellm with snyk and langfuse

* feat: Environment auto-setup directive & session_boot generative model support (#63)

* feat: add environment auto-setup directive and enhance session_boot.py

- Create directives/setup_environment.md: comprehensive bootstrap guide for
  new machines covering Python venv, Homebrew deps, Ollama models, Qdrant,
  and the private/public repo workflow.
- Enhance session_boot.py to auto-pull generative models (gemma4:e4b,
  glm-4.7-flash) during --auto-fix, not just the embedding model.
- Fix session_boot.py run_session_init() to use sys.executable instead of
  hardcoded 'python3' so it always respects the active venv.
- Update SKILLS_CATALOG.md with latest skill metadata.

* fix: address Copilot review comments on PR #63

- Remove duplicate 'import sys' statement
- Use exact model name match instead of prefix match for installed check
- Separate pull failures into report['issues'] instead of report['actions_taken']
- Add --no-generative flag to skip large model downloads in CI/constrained envs
- Use explicit /opt/homebrew/bin/python3 for venv creation in directive
- Clarify required vs optional Ollama models in directive

---------

Co-authored-by: Elton <elton@kuaray.lan>

* chore: bump v1.7.6 — template sync, security directives, langfuse integration, local routing

- Version bump: 1.7.5 → 1.7.6
- CHANGELOG: added 1.7.6 entry (security validation, langfuse, local micro agent, task router)
- templates/base/execution: synced 30+ new execution scripts from project root
- templates/base/directives: added security_team, code_security_reviewer, dependency_auditor, secret_scanner
- templates/skills: synced qdrant-memory scripts, docx/pptx/whatsapp security fixes
- release_gate.py, security_scan.py, README.md updates

* chore: remove internal Time Machine reference from CHANGELOGs

* feat: native multi-agent runtime integration

- Implemented agent_runtime.py to route native subagent tasks via task_router
- Refactored dispatch_agent_team.py to use native logic and drop openclaude CLI bindings
- Added directives/native_multi_agent.md to document the In-Context Delegation protocol
- Synced AGENTS.md and updated templates/base

* chore: release version bump to 1.7.7

* fix: refactor hardcoded 'antigravity' terminology to 'active_session' to support all LLM orchestrators (Claude, Copilot, OpenClaude, etc)

* fix: update exists() to is_file() to prevent directories from being read

* fix: resolve critical reliability bugs #72, #73, #74

- Adds 120s timeout and exception handling to local ollama deployments
- Automates directory creation for missing worktrees
- Traps JSONDecodeErrors gracefully on manifest generation

* chore: restore missing agent team rules and workflows to live workspace

- Restores agent_team_rules.md
- Restores memory-usage.md
- Restores run-agent-team-tests.md

* fix: resolve post-release architectural findings 77, 78, 79

Removes legacy fastapi tool bridge

Enforces exists check on local agent route building

Degrades docker dependency missing warning to a benign skip

* fix: restore missing feature files claimed in README

- Restores `blockchain_auth.py` to the live execution path.
- Restores `plugin-discovery/scripts/platform_setup.py` into live skills tier to ensure setup wizard functions appropriately.

* chore: backlog blockchain authentication components

- Formally removes  from live and base templates after feature freeze.
- Redacts blockchain docs and integration snippets from README.
- Re-flags Trust & Tenancy mode to '🧊 Backlogged' within architectural roadmap.

* fix: restore missing cross-platform agent routing symlinks

Generates the advertised OPENCODE.md, COPILOT.md, and OPENCLAW.md symlinks bridging external models into the native AGENTS.md context stream.

* chore: bump version to 1.7.8 and update CHANGELOG

Properly formalises the architectural stability patches, native platform symlinks, and dependency logic fixes mapped natively over the core AGI structural guidelines.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Elton <elton@kuaray.lan>
Co-authored-by: Elton Machado <elton@techwave.dev>
revagomes pushed a commit to revagomes/agi-agent-kit that referenced this pull request May 3, 2026
* fix: use NPM OIDC trusted publisher instead of token

The publish workflow was failing with NODE_AUTH_TOKEN empty because
the token-based publish is deprecated in favor of NPM OIDC trusted
publishers. Fix:

- Remove NODE_AUTH_TOKEN env var (conflicts with OIDC)
- Upgrade npm to latest (>=11.5.1) for OIDC publishing support
- Keep id-token: write permission and --provenance flag

NPM trusted publisher is already configured on npmjs.com for this
repo. OIDC federates identity from GitHub Actions → NPM, eliminating
the need for long-lived tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: Output Gates + fix skill deduplication (techwavedev#32)

## Output Gates (Bash Validation)
- Parse optional `## Output Gate` section from sub-agent directives
- Emit `validation_gate` with bash command in dispatch manifests
- Orchestrator must run gate and trust stdout over self-reports
- Retry-once-then-user-prompt on failure
- All 6 sub-agent directives wired with gates
- Scenario 11 test added

## Skill Deduplication Fix
- Resolved 13 skill name conflicts in templates/skills/
- Deleted 4 exact-duplicate folders (xlsx, pdf, docx, pptx)
- Fixed 2 mislabeled frontmatter (systematic-debugging, plan-writing)
- Removed 7 cross-source duplicates (superpowers-lab, cross-tier)
- Added deduplicateSkills() post-install validator to init.js

* feat: validate_gate.py, /agi router scripts, new skills, catalog sync (#44)

* feat(gates): add standalone validate_gate.py and wire asset_compiler gate (closes techwavedev#33)

- Implemented standalone Python validator for Output Gates
- Added Output Gate to asset_compiler.md
- Verified scenario 11 passes
- Note: PR techwavedev#32 wired docs and test_generator, this finishes the remaining file-verifiable agents.

* feat: add /agi router scripts, image-ai-generator + resend skills, sync skill catalog

- execution/list_capabilities.py — enumerate installed skills + execution scripts
- execution/resolve_paths.py — dual-path resolution for global/local installs
- execution/route_request.py — route user requests to matching skills/scripts
- skills/image-ai-generator/ — new skill for AI image generation workflows
- skills/resend/ — new skill for Resend email API integration
- skills/SKILLS_CATALOG.md + templates/skills/extended/ — full catalog sync (371 files)

Partial work toward techwavedev#34 (/agi unified router)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: wire resolve_paths into dispatch_agent_team.py for dual-path resolution

dispatch_agent_team.py now imports resolve_file/get_project_root from
resolve_paths.py (with graceful fallback for standalone use), replacing
the inline find_project_root() implementation. Part of techwavedev#34.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: per-run state.json emission + lightweight team-run dashboard (techwavedev#43)

* Initial plan

* feat: state.json emission from dispatch_agent_team.py + lightweight dashboard

- Add execution/team_state.py: helper with update/read/list-active/prune subcommands
- Emit .tmp/team-runs/<run_id>/state.json on every team dispatch
- Update orchestrator instructions to mandate state.json updates per step
- Add dashboard/server.py + dashboard/index.html (vanilla HTML, auto-refresh 2s)
- Update session_wrapup.py to prune old state files via team_state.py prune
- Add scenario 12 (state-observability) to run_test_scenario.py
- Fix store_to_memory warnings to go to stderr (not stdout)

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/ab84de26-8f2d-4071-857b-242dede7a2ac

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* feat: hybrid knowledge base (Qdrant RAG + markdown fallback) (techwavedev#42)

* Initial plan

* feat: implement hybrid knowledge base persistence (Qdrant RAG + markdown fallback)

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* fix: address code review - use SHA-256 for deterministic UUIDs, move imports to module level

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* fix: resolve dispatch_agent_team.py post-merge issues

- find_project_root() → get_project_root() (resolve_paths import)
- load_team_directive: drop unused root param, update call site
- _load_team_state: guard against spec=None before module_from_spec

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: Workflow Engine — execute guided multi-skill playbooks (#45)

* Initial plan

* feat: Workflow Engine — execute guided multi-skill playbooks

Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/b1bbb8dc-3c5f-4c65-88c7-d87b2e093b8d

Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com>

* feat: implement phase-reset architecture and dynamic team composition

* feat: complete global install mode via init.js and dual-path scripts

* feat: implement skill trigger evaluation (techwavedev#40)

* feat: MoE Swarm Router (NotebookLM Implementation) (#47)

* release: bump version to 1.7.4

* feat(swarm): implement MoE Swarm Router logic for parallel task execution (Closes #46)

* fix(swarm): direct orchestrator handoff and qdrant memory cache hit implementation (#48)

* feat(swarm): inject qdrant context chunks as RAG payload to save tokens (#49)

* feat(gems): create gem factory to build shareable gems and skills (#50)

* feat(eval): implement autonomous ralph feedback loop using local engine (#51)

* feat: core mempalace integration (#57)

- Adds AAAK compression and original payload preservation (closes #52)
- Adds temporal --expire-days filtering (closes #53)

* feat: implement local micro agent pre-store contradiction check (closes #54) (#58)

- Adds point_id extraction to memory chunks
- Hooks local_micro_agent.py dynamically to evaluate conflicting ledger facts

* fix: hybrid_search raw filter pass-through for complex queries (closes #55) (#59)

- Removes restrictive keyword payload matching
- Pipes full Qdrant logic including must_not range conditions

* feat: script to delete un-scoped legacy qdrant items (closes #56) (#60)

* feat: transparent cloud fallback for deterministic agent routing (closes #61) (#62)

- Adds REST execution pathways for gemini-1.5-flash, claude-3-haiku, and gpt-4o-mini
- Automatically parses API keys from local environment bypassing heavy-weight ollama dependencies

* docs: generate marketing release and bump patch to 1.7.5 for mempalace upgrade

* fix: payload passthrough for wing/room/original_text/valid_until in retrieval pipeline

Root cause: hybrid_search._vector_search() and memory_retrieval.retrieve_context()
were both hardcoded to cherry-pick only content/type/project/tags/timestamp from
Qdrant payload results. All spatial, temporal, and zero-loss fields were silently
dropped. Also fixed retrieve command threshold default (0.7 -> 0.45) and removed
stale imports causing UnboundLocalError in contradiction resolver.

* chore: code cleanup, docs update, and safety improvements

- Remove orphaned docstring in local_micro_agent.py run_inference()
- Hoist stale inner imports (time, urllib) to module-level in memory_manager.py
- Move dev-only benchmark/cleanup scripts to .tmp/dev-tools/
- Add dry-run default + --force flag to sweep_legacy_memory.py
- Add docs/execution/memory_manager.md (spatial, AAAK, temporal, contradiction)
- Update docs/execution/local_micro_agent.md with cloud fallback chain
- Update CHANGELOG.md with all v1.7.5 bugfixes from live testing

* fix: complete contradiction resolver pipeline

Two root causes prevented contradiction resolution from working:
1. Empty query string in retrieve_context() produced zero-score vectors
   that fell below threshold, so no existing facts were ever found.
   Fix: use the new content as the search query.
2. Deprecated facts (valid_until set) were never filtered during search.
   Fix: add must_not range filter in hybrid_search._vector_search() to
   auto-exclude points where valid_until <= current time.

* fix: BM25 results now respect Qdrant payload filters (project/wing/room)

BM25 (SQLite FTS5) has no concept of Qdrant payload filters, so unscoped
results leaked into hybrid search when: 1) BM25-only results merged into
vector results without validation, and 2) the BM25-only fallback path
(when vector returns 0) returned results without any filter check.

Fix: Both paths now validate each BM25-only result against Qdrant via
a point lookup before including it. Also fixed the merge path to pass
wing/room/original_text/valid_until through the merged result dict.

* fix(memory): stabilize architecture and resolve 10 deep evaluation bugs for v1.7.5

* fix(secrets): resolve semgrep false positive on .partition() bypassing string split

* fix(security): replace blocked packages trivy and litellm with snyk and langfuse

* feat: Environment auto-setup directive & session_boot generative model support (#63)

* feat: add environment auto-setup directive and enhance session_boot.py

- Create directives/setup_environment.md: comprehensive bootstrap guide for
  new machines covering Python venv, Homebrew deps, Ollama models, Qdrant,
  and the private/public repo workflow.
- Enhance session_boot.py to auto-pull generative models (gemma4:e4b,
  glm-4.7-flash) during --auto-fix, not just the embedding model.
- Fix session_boot.py run_session_init() to use sys.executable instead of
  hardcoded 'python3' so it always respects the active venv.
- Update SKILLS_CATALOG.md with latest skill metadata.

* fix: address Copilot review comments on PR #63

- Remove duplicate 'import sys' statement
- Use exact model name match instead of prefix match for installed check
- Separate pull failures into report['issues'] instead of report['actions_taken']
- Add --no-generative flag to skip large model downloads in CI/constrained envs
- Use explicit /opt/homebrew/bin/python3 for venv creation in directive
- Clarify required vs optional Ollama models in directive

---------

Co-authored-by: Elton <elton@kuaray.lan>

* chore: bump v1.7.6 — template sync, security directives, langfuse integration, local routing

- Version bump: 1.7.5 → 1.7.6
- CHANGELOG: added 1.7.6 entry (security validation, langfuse, local micro agent, task router)
- templates/base/execution: synced 30+ new execution scripts from project root
- templates/base/directives: added security_team, code_security_reviewer, dependency_auditor, secret_scanner
- templates/skills: synced qdrant-memory scripts, docx/pptx/whatsapp security fixes
- release_gate.py, security_scan.py, README.md updates

* chore: remove internal Time Machine reference from CHANGELOGs

* feat: native multi-agent runtime integration

- Implemented agent_runtime.py to route native subagent tasks via task_router
- Refactored dispatch_agent_team.py to use native logic and drop openclaude CLI bindings
- Added directives/native_multi_agent.md to document the In-Context Delegation protocol
- Synced AGENTS.md and updated templates/base

* chore: release version bump to 1.7.7

* fix: refactor hardcoded 'antigravity' terminology to 'active_session' to support all LLM orchestrators (Claude, Copilot, OpenClaude, etc)

* fix: update exists() to is_file() to prevent directories from being read

* fix: resolve critical reliability bugs #72, #73, #74

- Adds 120s timeout and exception handling to local ollama deployments
- Automates directory creation for missing worktrees
- Traps JSONDecodeErrors gracefully on manifest generation

* chore: restore missing agent team rules and workflows to live workspace

- Restores agent_team_rules.md
- Restores memory-usage.md
- Restores run-agent-team-tests.md

* fix: resolve post-release architectural findings 77, 78, 79

Removes legacy fastapi tool bridge

Enforces exists check on local agent route building

Degrades docker dependency missing warning to a benign skip

* fix: restore missing feature files claimed in README

- Restores `blockchain_auth.py` to the live execution path.
- Restores `plugin-discovery/scripts/platform_setup.py` into live skills tier to ensure setup wizard functions appropriately.

* chore: backlog blockchain authentication components

- Formally removes  from live and base templates after feature freeze.
- Redacts blockchain docs and integration snippets from README.
- Re-flags Trust & Tenancy mode to '🧊 Backlogged' within architectural roadmap.

* fix: restore missing cross-platform agent routing symlinks

Generates the advertised OPENCODE.md, COPILOT.md, and OPENCLAW.md symlinks bridging external models into the native AGENTS.md context stream.

* chore: bump version to 1.7.8 and update CHANGELOG

Properly formalises the architectural stability patches, native platform symlinks, and dependency logic fixes mapped natively over the core AGI structural guidelines.

* fix(security): resolve CVEs by pinning python dependencies and syncing dependabot npm bumps

- Pinned cryptography>=44.0.0
- Pinned requests>=2.32.3
- Synced PR techwavedev#27 npm package-lock resolutions from public

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Elton <elton@kuaray.lan>
Co-authored-by: Elton Machado <elton@techwave.dev>
@dependabot @github

dependabot Bot commented on behalf of github May 8, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #40.

@dependabot dependabot Bot closed this May 8, 2026
@dependabot dependabot Bot deleted the dependabot/docker/node-25-bookworm-slim branch May 8, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants