Changelog

Added: 5 changes. Changed: 4 changes. Fixed: 4 changes. Key changes: Agent efficacy push: Memory introspection, selective forgetting, relationship-memory automation, and task operating state are now first-class parts of the shared pipeline. Introspection-driven execution: Task-oriented turns now begin from introspected runtime truth, can compose specialists from a clean slate, and preserve executed state across normalization retries. Delegation and composition flow: Empty-roster specialist requests now progress into composition and delegation instead of collapsing into narrated intent or centralization. Task-path truthfulness: Filesystem/runtime blockers now surface as real blockers instead of canned fallback prose.

Added: 8 changes. Fixed: 4 changes. Changed: 2 changes. Key changes: Model categorization with 29-model capability profiles, skill authoring API, Landlock/Job Object script confinement, typestate session lifecycle, delegation scoring engine, and critical signal adapter fixes.

Added: 6 changes. Changed: 1 change. Fixed: 1 change. Key changes: New `roboticus tui` terminal application, configurable context budget tiers, integrations management endpoints/CLI, tool output noise filtering, and dashboard configuration/routing UX improvements.

Added: 7 changes. Fixed: 10 changes. Changed: 5 changes. Key changes: server crate split (`roboticus-cli`/`roboticus-api`/slim server), unified error model, channel adapter helper extraction, model categorization/router spec, and broad hardening around SQL safety, session integrity, config generation, and silent error triage.

Added: 8 changes. Fixed: 18 changes. Key changes: DB fitness hardening (DF-1–DF-18): 18-item SQLite performance audit resolved — retention pruning for 5 high-growth tables, orphan cleanup sweeps (working memory + embeddings), `auto_vacuum=INCREMENTAL`, 6 missing indexes, episodic dead-entry pruning, cache NULL-expiry fix, `PRAGMA synchronous=NORMAL` under WAL, CHECK constraints on 11 columns, and dead `proxy_stats` table removal. Memory hygiene mechanic: `roboticus mechanic` detects and (with `--repair`) purges contaminated memory entries using 7 deterministic LIKE-prefix patterns across 3 tiers, with JSON-structured findings. Circuit breaker window reset: `record_failure()` now tracks `window_start` for rolling-window accumulation — failures spaced ~60s apart correctly accumulate instead of resetting. Embedding auth for local providers: `EmbeddingConfig.is_local` skips API key resolution and auth headers for Ollama/llama.cpp.

Added: 14 changes. Key changes: Compliance-first self-funding control plane: Complete revenue opportunity lifecycle (intake → qualify → score → plan → fulfill → settle) with DB-backed restart safety, strategy-level scoring (confidence/effort/risk/priority/recommendation), feedback persistence per opportunity and summary by strategy, configurable post-settlement asset routing (default `PALM_USD`), EVM swap submission with tx-hash tracking and on-chain receipt reconciliation, tax payout lifecycle mirroring swap tasks, and operator-visible accounting (net profit, attributable costs, retained earnings, tax allocation) across API, CLI, and mechanic surfaces. Revenue mechanic integration: Mechanic can probe, reconcile, and repair orphaned or stale revenue jobs and swap/tax reconciliation mismatches via `run_gateway_provider_and_revenue_checks` and `run_gateway_integrated_repair_sweep`.

Changed: 8 changes. Fixed: 5 changes. Note: 1 change. Key changes: Terminology normalization: `soul_text` → `os_text`, `soul_history` → `os_personality_history` (migration 020) for firmware/OS terminology coherency. Behavior soak hardening: `scripts/run-agent-behavior-soak.py` now includes regression checks for filesystem capability truthfulness, subagent capability response quality, and affirmative continuation quality, with rubric updates to score substantive outcomes over brittle phrase matching. Internal protocol fallback leakage: response sanitization no longer surfaces protocol-placeholder fallback text; empty/degraded sanitized content now resolves through deterministic user-facing quality fallback. Markdown count execution reliability: execution shortcut path now handles recursive markdown-file count prompts deterministically, including strict numeric-only responses when requested (`count only` / `only the number` style prompts).

Added: 3 changes. Changed: 7 changes. Fixed: 2 changes. Security: 1 change. Key changes: Routing observability UX: Metrics dashboard now includes an explorable model-decision graph and a routing-profile spider graph (correctness/cost/speed) with runtime apply support via safe config patching. Model shift telemetry: Non-streaming inference pipeline now emits websocket `model_shift` events when execution model differs from selected model (fallback or cache continuity path). Agent message contract: `/api/agent/message` responses now expose both routing-time and execution-time model fields (`selected_model`, `model`, `model_shift_from`) for continuity diagnostics. Routing dataset privacy default: `GET /api/models/routing-dataset` now redacts `user_excerpt` by default; explicit opt-in is required to include excerpts.

Added: 15 changes. Changed: 7 changes. Removed: 4 changes. Key changes: Wiring Remediation (Phase 0): Comprehensive Tier 1–3 wiring audit remediation. 14 gates cleared — all functional wires verified against code. See `docs/audit/wiring-audit-v0.9.md` for the full re-audit. Unified Request Pipeline: API (`agent_message`) and channel (`process_channel_message`) paths now share `prepare_inference` + `execute_inference_pipeline` in `core.rs`, eliminating 6+ behavioral asymmetries between entry points. `post_turn_ingest` Tool Results: All call sites now pass actual tool call name + result from the ReAct loop instead of `&[]`. Episodic memory captures tool-use context, improving digest quality. Gate System Note: `build_gate_system_note` now wired in both API and channel paths (previously channel-only).

Added: 6 changes. Changed: 2 changes. Key changes: Model Metascore Routing (2.19 core): Unified per-model scoring replaces availability-first routing. `ModelProfile` combines static provider attributes (cost, tier, locality) with dynamic observations (quality, capacity headroom, circuit breaker health). `metascore()` produces a transparent 5-dimension breakdown (efficacy, cost, availability, locality, confidence) with configurable weights for cost-aware mode. `select_by_metascore()` is now the primary routing decision in `select_routed_model_with_audit()`. Tiered Inference Pipeline (2.3): `ConfidenceEvaluator` scores local model responses using token probability, response length, and self-reported uncertainty signals. Responses below the confidence floor trigger automatic escalation to the next model in the fallback chain. `EscalationTracker` records escalation events for capacity/cost telemetry. Routing hot path: `select_routed_model_with_audit()` now extracts features from user content, classifies task complexity, builds model profiles, and selects via metascore — replacing the previous first-usable-model strategy. Rate limiter architecture: `GlobalRateLimitLayer` is now constructed once at startup and shared between the axum middleware stack and `AppState`, enabling admin observability of the same rate-limit counters the middleware uses.

Security: 3 changes. Fixed: 14 changes. Key changes: HIGH: RwLock held across LLM call: Config read-lock was held for the entire duration of streaming LLM calls, blocking all config writes. Now clones needed values and drops the lock before the network call. HIGH: CSS selector injection: Browser `click` and `type_text` actions now validate CSS selectors, rejecting inputs containing `{`/`}` (which can escape selector context into rule injection) and enforcing a 500-character length limit. HIGH: SSE streaming drops tool-use deltas: OpenAI-format SSE chunks with `content: null` (common in function-call and tool-use deltas) were silently dropped. Now emits an empty-string delta, matching the Anthropic and Google format arms. HIGH: Done event schema mismatch: The SSE `stream_done` event used `"content"` key while all streaming chunks used `"delta"`, causing clients to miss the done signal. Now consistently uses `"delta"`.

Security: 13 changes. Fixed: 26 changes. Key changes: HIGH: WebSocket API key leak: Replaced `?token=` query-string authentication on WebSocket upgrade with a ticket-based flow, preventing API keys from appearing in server logs, proxy logs, and browser history. HIGH: Prompt injection in tips: `get_turn_tips` and `get_session_insights` now sanitize LLM-generated tips before rendering, preventing stored prompt injection via malicious session content. HIGH: Float policy bypass: Policy enforcement on `amount` fields now falls back to `as_f64()` conversion, closing a bypass where float amounts evaded integer-only checks. HIGH: Tool call parsing failures: `parse_tool_call` now uses `rfind` with a candidate loop, correctly parsing tool calls that contain the delimiter character in arguments.

Fixed: 19 changes. Added: 2 changes. Key changes: CRIT: Cron jobs silently never firing: `run_cron_worker` timestamp format lacked timezone suffix (`Z`), causing `evaluate_cron` RFC 3339 parse to always fail — all cron-scheduled jobs were silently skipped. HIGH: Telegram chunk_message UTF-8 panic: Byte-level string slicing in `chunk_message` panicked on multi-byte characters (emoji, CJK). Now uses `floor_char_boundary()` matching the Discord adapter. Release notes for v0.8.5 and v0.8.6 (missing from previous releases, blocking release doc gate). Roadmap section 1.24: Built-in CLI Agent Skills (Claude Code + Codex CLI).

Security: 9 changes. Fixed: 14 changes. Added: 2 changes. Key changes: CRIT: Unauthenticated rate-limit actor identity: Removed `x-user-id` header as rate-limit actor identity — it was unauthenticated and trivially spoofable. CRIT: Stable token fingerprinting: Replaced `DefaultHasher` with SHA-256 for token fingerprinting, since `DefaultHasher` is not stable across processes and could cause cache/rate-limit bypasses. Windows daemon error propagation: `schtasks /Create` errors now propagate instead of being silently dropped; post-spawn verification added; `schtasks /Delete` errors during uninstall handled correctly. CLI API key headers: Added `--api-key`/`ROBOTICUS_API_KEY` global CLI argument. All 22 bare `reqwest` calls replaced with `http_client()` helper that injects API key as default header.

Security: 6 changes. Fixed: 22 changes. Key changes: WASM preemptive timeout (BUG-101): WASM plugin execution now runs on a dedicated thread with `recv_timeout`, providing true preemptive timeout instead of the previous post-hoc elapsed-time check that allowed malicious modules to run indefinitely. Script runner orphan kill (BUG-102): Script runner now captures the child PID before `wait_with_output()` and sends `kill -9` on timeout, preventing orphan process accumulation. reqwest Client panic (BUG-105): `VectorDbSource::new()` and `GraphSource::new()` now return `Result` instead of panicking via `.expect()` when TLS initialization fails. Signal handler crash (BUG-108): SIGTERM handler installation now falls back to SIGINT-only mode instead of crashing via `.expect()` in containerized environments.

Security: 3 changes. Fixed: 16 changes. Changed: 1 change. Key changes: WebSocket message size limit: Unauthenticated WebSocket connections now enforce a 4 KiB inbound message limit and no longer echo full message bodies, closing a ~3x memory amplification DoS vector. Hippocampus TOCTOU fix: `drop_agent_table` auth check and DROP are now wrapped in a single transaction, preventing race-condition bypasses. Agent amnesia on DB error (SF-2): `list_messages` calls in agent routes now propagate errors instead of silently returning empty history via `.unwrap_or_default()`. Governor silent write failures (SF-1): Session expiry and compaction errors are now logged at warn/error level; `tick()` returns an accurate expired count instead of silently swallowing failures with `.ok()`.

Security: 4 changes. Fixed: 4 changes. Added: 1 change. Key changes: Auth bypass when no API key: Requests to non-exempt API routes now fail closed when no API key is configured — only loopback connections are allowed. Previously, missing API key config silently allowed all traffic. A2A replay protection: Added nonce registry with TTL-based expiry to the A2A protocol, preventing message replay attacks within the nonce window. UTF-8 panic in memory truncation: Replaced unsafe byte-level string slicing with `floor_char_boundary()` to prevent panics on multi-byte characters (emoji, CJK) near the 200-char truncation point. Script plugin zombie processes: Script timeout now explicitly kills the child process and reaps it, preventing zombie accumulation.

Added: 3 changes. Fixed: 5 changes. Key changes: 100+ API route integration tests: Comprehensive test coverage for sessions, turns, interviews, feedback, skills, model selection, channels, webhooks, dead letters, admin, memory, cron, context, and approvals endpoints. Tests exercise both success and error paths including validation, 404s, auth, and edge cases. Workspace test count now at 3,316. Homebrew tap distribution: macOS/Linux users can install via `brew install robot-accomplice/tap/roboticus`. 29 stabilization bug fixes: Resolved input validation gaps, API error format inconsistencies, query parameter hardening, security headers, dashboard trailing content, model persistence, cron field naming, and Windows TOML path issues discovered during exhaustive hands-on testing of v0.8.1. HTML injection prevention: Closed remaining sanitization coverage gaps in API write endpoints.

Fixed: 12 changes. Changed: 2 changes. Key changes: 40 smoke/UAT bug fixes: Resolved 40 bugs (5 critical, 6 high, 15 medium, 14 low/UX) discovered during comprehensive smoke testing of all 85 REST routes, 32 CLI commands, and 13 dashboard pages. Input validation hardening: Added field-length limits, HTML sanitization, and null-byte rejection across all API write endpoints. CI scripts use POSIX grep: Replaced all `rg` (ripgrep) invocations with standard `grep -E`/`grep -qE` in CI scripts for broader runner compatibility. Windows compilation: Added conditional `allow(unused_mut)` for platform-gated mutation in security audit command.

Security: 17 changes. Fixed: 22 changes. Added: 16 changes. Changed: 4 changes. Key changes: CORS hardening: Removed wildcard `Access-Control-Allow-Origin: *` fallback when no API key is configured; CORS now always restricts to the configured bind address origin. Wallet key zeroing: Decrypted API keys in the keystore and child agent wallet secrets are now wrapped in `Zeroizing<String>` so key material is zeroed on drop. Telegram invalid-token resilience: Telegram `404/401` poll failures are now classified as likely invalid/revoked bot-token errors with explicit repair guidance and adaptive backoff to reduce noisy tight-loop logging. Subagent runtime activation sync: Taskable subagents are now auto-started at boot and kept in sync with create/update/toggle/delete operations, fixing the `enabled > 0, running = 0` stall where configured subagents stayed idle.

Fixed: 6 changes. Key changes: Windows daemon startup and binary update reliability fixes, dashboard render boundary hardening, and loopback-proxy migration safeguards with explicit deprecation guidance for v0.8.0 removal.

Added: 4 changes. Changed: 3 changes. Key changes: Subagent contract enforcement: Added explicit `subagent` vs `model-proxy` role validation, fixed-skills persistence/validation, and strict rejection of personality payloads for taskable subagents. Model-selection forensics pipeline: Added persistent `model_selection_events` storage, turn-linked forensics APIs (`GET /api/turns/{id}/model-selection`, `GET /api/models/selections`), and live dashboard views for candidate evaluation details. Roster and status semantics: `/api/roster`, `/api/agent/status`, and dashboard agent views now distinguish taskable subagents from model proxies and report taskable counts with clearer operator-facing terminology. Subagent model assignment options: Added support for `auto` (router-controlled) and `commander` (primary-agent-assigned) model modes for taskable subagents, including runtime model resolution behavior.

Fixed: 3 changes. Key changes: Release integrity follow-up: Merged post-tag regression fixes from the 0.6.0 release branch into `develop`, including web peer-scope identity validation, dashboard WebSocket token encoding, and release-gate compile/test stabilization. Session creation stability: Restored explicit default agent scope behavior in DB session creation paths to avoid `500` failures in session lifecycle APIs/tests.

Added: 4 changes. Changed: 5 changes. Key changes: Capacity headroom telemetry: New `GET /api/stats/capacity` endpoint exposes per-provider headroom, utilization, and sustained-pressure flags for operator visibility. Capacity-aware circuit preemption: Circuit breakers now accept soft capacity pressure signals and expose preemptive `half_open` state before hard failure trips. Routing quality now capacity-weighted: `select_for_complexity()` scores candidates by model quality and provider headroom, rather than binary near-capacity fallback behavior. Inference feedback loop now records capacity usage: both non-stream and stream response paths record provider token/request usage and update capacity pressure signals.

Added: 18 changes. Changed: 7 changes. Key changes: Addressability Filter: Composable filter chain for group chat addressability detection. Agent only responds when mentioned by name, replied to, or in a DM. Configurable via `[addressability]` config section with alias names support. Response Transform Pipeline: Three-stage pipeline applied to all LLM responses -- `ReasoningExtractor` (captures `<think>` blocks), `FormatNormalizer` (whitespace/fence cleanup), `ContentGuard` (injection defense). Replaces the previous inline `scan_output` approach. All 10 crate READMEs updated to v0.5.0 with expanded descriptions and key types. All 10 `lib.rs` files now have `//!` crate-level doc comments.

Added: 6 changes. Fixed: 3 changes. Changed: 2 changes. Key changes: Slash commands for agent chat: `/model`, `/models`, `/breaker`, `/retry` for runtime LLM control. Runtime model override via `/model set <model>` — temporarily forces a specific model, bypassing routing. Credit/billing errors now permanently trip the circuit breaker (no auto-recovery to HalfOpen) — providers with exhausted credits are never probed again until explicitly reset via `/breaker reset`. Dashboard "Save to keystore" button now sends `Content-Type: application/json` header — previously failed with "Expected request with 'Content-Type: application/json'".

Fixed: 3 changes. Key changes: `roboticus daemon start` now verifies the service is actually running after `launchctl load` — previously reported "Daemon started" even when the service crashed immediately. `roboticus daemon install` resolves the config path to absolute before embedding in the plist — previously used the relative path which launchd couldn't resolve.

Added: 5 changes. Fixed: 7 changes. Security: 4 changes. Key changes: `roboticus daemon start|stop|restart` subcommands for full daemon lifecycle management. Interactive prompt after `roboticus daemon install` asking whether to start immediately. Replaced stale `[providers.local]` (localhost:8080) with `[providers.moonshot]` in bundled and registry provider configs. Added `moonshot/kimi-k2.5` to dashboard known-models list for settings autocomplete.

Added: 10 changes. Changed: 5 changes. Fixed: 2 changes. Key changes: Signal channel adapter backed by signal-cli JSON-RPC daemon (`roboticus-channels::signal`). Unified thinking indicator (🤖🧠…) for all chat channels (Telegram, WhatsApp, Discord, Signal). `thinking_threshold_seconds` moved from per-channel (`TelegramConfig`) to `ChannelsConfig` level. Channel message processing is now platform-agnostic via `send_typing_indicator` / `send_thinking_indicator` helpers.

Security: 8 changes. Fixed: 11 changes. Changed: 10 changes. Added: 1 change. Key changes: Plugin sandbox: validate tool names against allowlist; reject path-traversal payloads; add `shutdown_all` for graceful teardown. Browser restrictions: block `file://`, `javascript:`, `data:` URI schemes in CDP navigation; harden Chrome launch flags. Telegram adapter now processes all updates in a batch, not just the first. Cron worker dispatches jobs instead of unconditionally marking success.

Full roadmap implementation — 35 items across 7 phases. ReAct agent loop, RAG retrieval pipeline, embedding provider integration, ANN index, persistent semantic cache, sub-agent framework, and comprehensive bug fixes from code review.

Added: 5 changes. Changed: 1 change. Fixed: 1 change. Key changes: Initial Project Roboticus baseline for Roboticus. Multi-crate Rust workspace foundation (runtime crates + integration test crate). Prepared packaging/publish metadata for early release workflows. Early release stabilization fixes for binary packaging, startup wiring, and quality gates.