Releases: frumu-ai/tandem
Release list
Tandem v0.6.7
See the assets below to download the installer for your platform.
v0.6.7 (2026-07-05)
Tandem 0.6.7 completes the secure data-boundary foundation and ships a focused
channel reliability pass for Telegram, Discord, and Slack. The data-boundary
work now spans the standalone policy/evidence crate, runtime provider-gate
integration, enforcement actions, protected audit records, source-side guards,
and an admin monitoring read model. The channel work fixes the recent
production failure modes around Codex OAuth refresh, retired provider defaults,
partial channel configs, false-positive auth-error sanitization, and
cross-user/cross-scope memory isolation.
Secure Data Boundary
The new tandem-data-boundary decision engine now evaluates sensitive-data
findings against provider boundary policy without persisting raw prompt text,
tool output, secrets, customer data, or model output. Decisions, findings, and
runtime events carry only audit-safe evidence such as classes, counts, spans,
reason codes, payload hashes, policy fingerprints, provider/model metadata, and
tenant/workspace/deployment refs.
Runtime integration is now available behind TANDEM_DATA_BOUNDARY_MODE
(off, audit, or enforce). In audit mode the engine evaluates the fully
assembled provider request immediately before dispatch and records
data_boundary.* events plus consequential protected-audit entries without
blocking or mutating requests. In enforce mode the gate can block dispatch,
redact/tokenize matched spans, require explicit operator approval, or fail
closed when strict posture requirements are not met. Provider classification is
configurable through TANDEM_DATA_BOUNDARY_PROVIDER_CLASSES, with built-in
local defaults for loopback providers and strict fail-closed behavior for
unclassified or prohibited providers when enabled.
Data-boundary coverage also now observes source material before it becomes
provider context: tool/MCP results, prompt-context-hook injections, and
workflow email-delivery artifacts emit audit-safe data_boundary.evaluated
events when findings exist. A new admin-gated
GET /audit/data-boundary/monitoring endpoint aggregates protected-audit
records by tenant, provider, model, boundary class, action, sensitive class,
source kind, classification source, policy fingerprint, and repeated payload
hashes. Planning docs define the future policy UI/API and local-routing
contract without adding a second enforcement path.
Context And Memory Safety
Long tool-heavy sessions now demote stale historical tool invocations in
provider-facing chat history to concise summaries with provenance handles,
while preserving recent invocations and leaving stored session records
untouched. This reduces repeated provider context load and adds telemetry for
demoted invocation count and saved characters.
Channel memory isolation was tightened across the write, read, and tool paths.
Channel prompt requests now include a platform-and-sender memory subject so one
Telegram/Discord/Slack user no longer shares the generic default global
memory subject with every other bot user. Channel memory tools now trust the
engine-injected session/project scope instead of model-supplied overrides, and
channel models can no longer write global-tier memory. Governed run-memory
ingestion now preserves tenant context on user/assistant/tool records, and
memory_delete/memory_demote enforce subject ownership before mutating
global memory records outside local unrestricted mode.
Channel And Provider Reliability
OpenAI Codex OAuth credentials managed by codex-cli can now refresh in
process from the persisted refresh token. The session run retry path forces a
refresh and retries once after an AUTHENTICATION_ERROR, and refresh failures
publish internal reauth signals instead of only surfacing raw channel errors.
Web-served control panels now derive the Codex OAuth callback from the public
panel URL or forwarded origin when available, while preserving localhost
callbacks for local desktop flows.
The Codex model catalog removed the phantom gpt-5.1-codex-max entry, added
gpt-5.6, and now heals a persisted default model when it no longer exists in
the supported catalog, falling back to the compiled gpt-5.5 default instead
of failing every channel run. Channel startup now tolerates saved Slack,
Discord, or Telegram entries that are partially configured or redacted, filters
incomplete listeners before startup, and reports connection state from runnable
listener config instead of merely from saved channel entries.
Channel auth-error sanitization is now more precise: real leading
ENGINE_ERROR: AUTHENTICATION... replies are still hidden from Telegram,
Discord, and Slack users, but ordinary explanatory responses that merely
mention AUTHENTICATION_ERROR or ENGINE_ERROR are no longer replaced with the
generic "assistant temporarily unavailable" message.
Setup And Release Tooling
Setup no longer lets repo-root .env.example hijack machine-specific engine or
control-panel state directories. Example values for TANDEM_STATE_DIR and
TANDEM_CONTROL_PANEL_STATE_DIR are ignored during bootstrap, while real
overrides from the user's own .env or existing generated env file still win.
This prevents Linux deployments from accidentally writing state into a literal
Windows-style %HOME%\...\.bench-state path.
The release-note extractor now refuses to publish notes that still say
Unreleased or long unstructured walls of text without headings/bullets, so
GitHub release bodies fail closed instead of shipping unreadable generated
notes.
Full Changelog: v0.6.6...v0.6.7
Tandem v0.6.6
See the assets below to download the installer for your platform.
v0.6.6 (2026-07-04)
Tandem 0.6.6 fixes a production reliability gap in channel messaging: Telegram,
Discord, and Slack replies (along with automations and scheduled runs) could
fail with AUTHENTICATION_ERROR once the OpenAI Codex OAuth access token
expired, because the token was previously only refreshed as a side effect of
the control panel polling its own status endpoint. An engine-side background
task now keeps that credential fresh on its own schedule, and any run that
still hits an expired token refreshes and retries once transparently before
surfacing an error to the channel. Channel status reporting was also
corrected so a connected listener no longer shows as disconnected from a
stale boot-time snapshot, and a config parse failure that used to silently
disable every channel now logs loudly instead.
This release also continues hardening the stateful automation runtime:
retrying a dead-lettered tool effect now actually re-executes it through the
normal governed dispatch path instead of only recording intent, a new
compensation execution engine drives compensate_pending_effects recovery
choices through an auditable runtime path with idempotent completions, and a
startup-recovery sweep replays durable-wait wakes that could previously be
lost if the engine crashed between finalizing a wait and requeuing its run.
Webhook intake retention no longer runs a synchronous full-tenant prune
inline on every request (now bounded by a hard event cap and handled by the
existing background reaper), and an early-arriving correlated webhook now
replays against a wait registered just after it arrives instead of orphaning
its run. Three security hardening passes landed alongside this work:
knowledge-scope memory governance now fails closed for records missing
scope metadata, stateful runtime tenant scoping was tightened across
approvals and MCP phase tool authority, and unsigned dev-mode webhook
signatures can no longer be enabled outside local single-tenant mode
regardless of the opt-in flag.
The Control Panel received a substantial design-consistency pass: a real
Icon component replaces the previous DOM-scan/MutationObserver icon
mechanism that could drop or duplicate icons under Preact's diffing;
hardcoded colors that broke the Porcelain light theme (most visibly,
near-invisible panel headings) and an off-theme calendar were routed through
theme tokens; border-radius, caption/micro text sizes, and dead glow/glass
CSS were consolidated onto single mechanisms; the sidebar's 19 routes are now
grouped into labeled sections; Enterprise Admin's six creation forms moved
into on-demand drawers; and a dismissible setup banner replaced the floating
onboarding modal. Several smaller fixes round out the pass: the chat right
rail is now reachable on tablet/small-laptop widths via a drawer, a blocked
automation status no longer renders as success-green, first paint no longer
flashes the wrong theme, and a handful of icon-only controls gained
accessible names.
Full Changelog: v0.6.5...v0.6.6
Tandem v0.6.5
See the assets below to download the installer for your platform.
v0.6.5 (Unreleased)
Tandem 0.6.5 is currently in development. This train starts the stateful agent
runtime work with enterprise-aware durable run scope, event, and snapshot
foundations. Snapshot-backed automation runs now expose stable definition
versions and sha256: snapshot hashes for future replay and resume checks, and
restart-interrupted Automation V2 runs are queued for resume when their
persisted checkpoint is recoverable while corrupt in-flight records continue to
fail closed. Automation V2 retry handling now also has a shared policy schema
and structured retry decision record so node failures can explain retryability,
attempt budget, terminal behavior, and next retry timing while preserving legacy
max_attempts compatibility.
The new tandem-data-boundary crate establishes the secure data-boundary
foundation for future provider-routing and context-governance work. It defines
serializable policy, input, finding, decision, and event contract types that
carry provider/model metadata, tenant/workspace/deployment refs, payload hashes,
policy fingerprints, reason codes, action tags, and finding counts without
embedding raw prompts, tool results, secrets, customer data, or model outputs.
It now also includes deterministic local detector findings for common PII,
financial, credential, secret, private-key, AWS-key, high-entropy, and simple
PHI marker spans, with evidence hashes plus redaction/tokenization placeholder
maps that preserve prompt structure without persisting raw matched values.
fail closed. Automation V2 run claims are now persisted with lease metadata, and
expired launch claims without active session or agent handles are reclaimed back
to the queue so only one executor can safely resume the run.
fail closed. Automation V2 webhook intake now persists tenant-scoped
idempotency keys before creating runs, reports accepted/duplicate/conflict
dedupe outcomes on delivery records and SDK types, and keeps original
delivery/run correlation available after restarts so provider retries do not
fan out duplicate automation runs.
Durable stateful runs now carry explicit workflow phases, transition history,
and allowed next phases so future long-running automation APIs can resume,
pause, and inspect runs through a guarded state machine instead of ad hoc
status strings. Legacy stateful runtime snapshots that predate those phase
fields derive a compatible phase state from their stored status when read.
Automation webhooks now persist tenant-scoped raw inbox events with raw payload
pointers, body/header digests, redacted header previews, and delivery/run
correlation for accepted, rejected, and duplicate intake paths.
Automation webhooks now use a provider-aware signature verification registry
with queryable delivery verification metadata, keeping Tandem HMAC compatibility
while preparing GitHub-style and shared-secret provider schemes.
Durable wait foundations now persist timer/webhook/approval wait metadata,
tenant-boundary identity, wake times, timeout policy, and wake claim state for
future sleep/resume scheduling.
The Automation V2 executor now runs a durable stateful wait scheduler tick that
claims due waits, recovers missed timer wakeups after downtime, records
idempotent wake/timeout events and snapshots, and marks timeout cancellations
or escalations for operator visibility.
Timer and webhook wait completions now reserve only the active leased claim
before durable wake writes, then terminalize the wait with the locked per-run
event sequence after those writes finish so concurrent completions cannot race
into duplicate sequence numbers.
Stateful runtime persistence now hardens wait, reliability, snapshot, and event
logs for crash recovery: JSON store mutations fail closed by sidelining corrupt
files, atomic writes sync temp files before rename, and event-log appends repair
torn JSONL tails before writing the next durable event.
Enterprise policy inheritance now preserves compliance floors before runtime
wiring: ancestor deny and approval-required rules block weaker descendant rules
unless explicitly marked overridable, and tenant/org-unit/workflow/phase scope
IDs are normalized for matching so case drift cannot suppress deny rules or hide
stateful runtime org-unit summaries and active grants.
Runtime policy decisions now consume that resolver directly: the server loads
enterprise/policy_rules.json, resolves each recorded policy decision through
the enterprise inheritance model across every recorded data class, enforces the
resolved result in gate, authority, fintech protected-action receipt, MCP
preflight, and memory promotion helpers, and stores inherited sources for replay.
Knowledge-scope memory governance now fails closed for source-bound gaps:
workflow-phase retrieval requires registered source-bound scope metadata, and
source-bound memory writes or promotions are blocked unless the derived memory
carries explicit knowledge_scope_registry policy metadata that matches the
source resource, source binding, and data class being written or promoted.
Source-bound manual imports now stamp imported chunks with that matching
registry metadata so governed workflow-phase reads can authorize imported
source chunks instead of hiding them as unregistered source-bound memory.
Promotion checks also preserve that source-resource registry shape when
validated source-binding metadata is present, while authority-only scope claims
still require a source_binding registry resource.
Automation V2 runs now also bridge those durable waits back into the live run
store: approval gates register and complete stateful approval waits, while
timer and webhook wait wakes requeue the authoritative automation run so the
executor can resume after a persisted wake event.
Stateful runtime event and snapshot read endpoints are now available for
tenant-filtered replay/debug and future control-panel views.
Stateful runtime run list and detail endpoints now provide canonical
tenant-filtered run records with current wait, latest event, latest snapshot,
and replay-boundary metadata, and the control-panel run list prefers those
endpoints while retaining the legacy fan-out fallback.
Canonical stateful runtime run responses now also include enterprise scope
summaries with resolved organization units, active org-unit grants, visible
knowledge source bindings, and filters for org unit, owner, resource, policy,
data class, risk tier, delegation grant, and source binding. The Control Panel
run dashboard surfaces those fields as scope metrics, filters, and per-run scope
cards.
Automation V2 lifecycle transitions now project into the authoritative
stateful runtime event and snapshot stores. Each newly recorded lifecycle
boundary gets an idempotent stateful event, monotonic per-run sequence, summary
snapshot, checkpoint digest, and workflow definition version/hash metadata so
future replay and resume paths can inspect durable run history without reading
only the hot embedded checkpoint.
Automation V2 run records now also persist first-class workflow definition
version and snapshot hash fields, backfill them from existing run snapshots on
load, expose them through SDK types, and fail restart recovery closed if the
recorded snapshot hash no longer matches the available definition.
Incident Monitor routing now supports Linear issue destinations
with MCP readiness checks, duplicate issue matching, destination-aware receipts,
and external-action records, and publish/recheck errors include the underlying
destination failure chain for easier operator diagnosis.
Incident Monitor routing also supports signed webhook destinations
with env-backed HMAC secrets, default SSRF blocking for private/internal URLs,
bounded payloads and response excerpts, capped retry attempts, and durable
per-delivery receipts. URL validation classifies parsed IPv4/IPv6 literals
before DNS lookup so IPv4-mapped private IPv6 webhook hosts fail closed
consistently across platforms.
Incident Monitor routing now also supports local telemetry and
internal memory destinations. Telemetry publishes durable destination-aware post
receipts that can be filtered by destination id, while internal memory
destinations store bounded, redacted summaries with category-specific record
refs and duplicate suppression.
Generic MCP tool destinations can now be configured for Incident Monitor routing.
These destinations fail closed unless an admin-configured
destination names the MCP server/tool, sets allow_publish, and provides an
explicit payload mapping. Route preview reports server/tool/mapping readiness
without executing tools, and publish attempts record destination, route, tool,
redacted receipt, duplicate-suppression, and failure details.
Incident Monitor incidents can now carry AI-agent safety and risk context without
breaking existing submissions. Drafts and incidents persist
redacted actor, model, tool, action, policy, approval state, risk category,
blast radius, and external correlation ids; SDK models and destination payloads
expose the context, and route preview can match risk categories for targeted
safety routing.
Incident Monitor can now generate production deployment cards for governed
agents, workflows, monitored sources, and Tandem self-monitoring. The read-only
endpoint combines authority inventory with operator-supplied purpose, owner,
accountability, approval, escalation, data-classification, and review metadata,
exports JSON/Markdown cards, and returns structured posture findings when
required production-governance fields are missing. Monitored-source cards now
link source posture evidence by source/project identifiers as well as canonical
source refs.
Incident Monitor monitored sources now have first-class data-readiness gates.
Projects and log sources can declare owner, system of record, classification,
allowed use, lineage/source-of-truth, freshness SLA and observation timestamp,
expected schema version...
Tandem v0.6.4
See the assets below to download the installer for your platform.
v0.6.4 (2026-06-28)
Tandem 0.6.4 adds secure Automation V2 webhook management and improves the
control-panel editing experience for generated workflow automations. Operators
can configure scoped webhook triggers, inspect sanitized delivery history, and
use the Studio-inspired workflow map to understand and tune generated nodes,
especially prompts and MCP-bound steps, from the existing edit modal.
Automation Webhooks
- Automation V2 now exposes authenticated webhook management APIs for trigger
list/create/read/update/disable/delete, one-time secret rotation, and scoped
delivery history inspection without making public intake routes part of the
management surface. - The
Edit workflow automationmodal now includes webhook trigger management:
create triggers, copy callback URLs, reveal generated secrets once, rotate or
disable triggers, and inspect sanitized recent deliveries with queued run
references. - Management responses redact raw secrets, stored secret references, secret
digests, raw payloads, auth headers, cookies, bearer tokens, and API-key-like
preview fields while preserving safe delivery metadata for operators.
Automation Webhooks
- Automation V2 now accepts signed public webhook deliveries at trigger-scoped
URLs without requiring the normal Tandem transport token on that one route.
The handler resolves tenant and automation only from the stored trigger,
verifies HMAC signatures and replay windows, enforces JSON payload handling,
and records sanitized internal rejection delivery records without leaking
trigger, tenant, automation, or signature details in public errors. - Accepted webhook deliveries now queue Automation V2 runs with
trigger_type = "webhook", delivery/trigger/provider provenance on the run
snapshot, tenant context inherited from the trigger-bound automation,
duplicate suppression, andautomation.v2.run.createdevents with
triggerType: "webhook".
Visual Workflow Editing
- The
Edit workflow automationmodal now starts with a Studio-inspired flow
map that groups workflow nodes into dependency stages, shows start nodes and
upstream dependency counts, and flags missing dependencies before operators
start editing individual node prompts. - Flow-map node cards summarize the details operators need while reviewing a
generated automation: bound agent, objective preview, input-reference count,
output kind, inherited workflow MCP servers, task-specific MCP overrides, and
send-capable MCP tool usage. - Selecting a node in the map scrolls directly to that node's prompt/model/MCP
editor card and highlights it, making generated workflows easier to adjust
without hunting through a long modal. - Workflow edit drafts now retain dependency, input-reference, stage, and output
metadata from the saved automation payload so the visual editor can represent
the actual generated flow instead of only showing editable prompt text. - The prompt editor section now opens by default, which makes the map useful for
generic reusable workflow tuning where the common edit is changing a node's
objective prompt while keeping the generated structure intact.
Full Changelog: v0.6.3...v0.6.4
Tandem v0.6.3
See the assets below to download the installer for your platform.
v0.6.3 (2026-06-26)
Tandem 0.6.3 is a patch release for workflow-runtime reliability and Bug
Monitor routing. It repairs the MCP/Notion/Composio workflow paths exercised by
the Reddit infrastructure leads automation, and it advances Bug Monitor toward
destination-neutral incident routing while preserving the current GitHub
publishing behavior.
Automation V2 MCP Workflows
- Automation V2 execution errors now classify provider request failures as
transient and give provider/write-related artifact misses a minimum retry
budget before terminal failure. This prevents low-retry Reddit/Notion workflow
branches from failing immediately on flaky provider calls or missing artifact
writes. - Workflow edits now preserve the full Automation V2 agents and flow payload
when saving from the summary editor, so MCP-enabled workflows do not lose node
execution configuration after operators change model routing, swarm settings,
or MCP access. - Exact connector-tool workflows no longer receive contradictory instructions
to callmcp_listfirst when concrete MCP tools are already bound. This keeps
Notion/Composio-style automations on the intended tool path and avoids
required-tool failures caused by discovery-only turns. - Workflow artifact and source validation now treats MCP tool ids as connector
tools instead of workspace files, carries upstream artifact paths into
concrete source coverage, and recognizes Notion page/database operations as
outbound connector actions. - Connector action progress is guarded more tightly: artifact-write nodes only
complete after a productive write to the declared artifact target, blocked
runs clean up correctly, and runtime tests cover the connector-action review
and artifact-write failure modes. - MCP OAuth cleanup now removes stale secret-header and OAuth credential
material when auth is deleted, canonical OAuth credentials can be reused during
refresh, and MCP public base URL handling is shared through one helper. - Connector-backed workflow searches now capture full remote result files into
run artifacts before model filtering. This prevents large Composio Reddit
responses from being reduced to model-visible previews, which previously let
runs complete cleanly while leaving downstream Notion writer nodes with too
few or zero rows. - Generic connector-row filtering now reads validated source artifacts,
preserves writer-ready fields such as title, link, author, and duplicate-key
values, and hands Notion writers complete rows without relying on
workflow-specific prompt fixes. The Reddit infrastructure leads workflow was
used as the validation shape, but the materialization path is connector
generic for larger future data-collection workflows.
MCP Control Panel
- MCP Settings now keeps large tool allowlists collapsed by default with an
animated expand control, reducing the amount of space each connected server
consumes in the list. - MCP servers that still require OAuth or are otherwise disconnected are sorted
to the top so operators can see and complete the required connection step
before trying to use the server in workflows. - The built-in MCP catalog copy now uses clearer add wording instead of the
previous pack-oriented label, and scoped MCP inventory output is more compact
for large connected servers.
Bug Monitor Routing
- Bug Monitor now has destination-neutral Incident Monitor routing foundations:
destination readiness, route preview APIs, destination-aware post
filtering/idempotency, and TypeScript/Python SDK types. - A centralized
bug_monitor::routerhandles route preview, route matching,
destination readiness checks, and publish dispatch for manual, automatic,
approval, recovery, timeout, and service paths. GitHub remains the only
executable destination in this phase, and unsupported destination overrides
fail closed without creating posts. - Monitored projects and log sources can now carry route bindings for source
kind, route tag, destination allow/default policy, tenant/workspace scope,
approval policy, redaction, and retention metadata. - Source bindings propagate through log watcher intake, scoped raw reports,
drafts, incidents, route preview, recovery publishes, and publish validation.
Raw source-supplied routing fields are sanitized before configured source
lookup, granted approvals are respected, and high-risk raw sources default to
safer approval behavior. - Control Panel source setup display, SDK event models, external-log intake
documentation, and regression coverage were updated for source-bound routing.
Full Changelog: v0.6.2...v0.6.3
Tandem v0.6.2
See the assets below to download the installer for your platform.
v0.6.2 (2026-06-23)
Tandem 0.6.2 starts the enterprise MCP identity workstream for multi-employee
runtime deployments. The first change is a source-of-truth design for separating
MCP server definitions from user-owned, service-principal, shared, and delegated
MCP connections.
Runtime Observability
- Runtime event persistence now consumes an opt-in bounded event-bus queue, so
canonical run/session events published after persister registration are
written toruntime/events.jsonlwithout depending on the live broadcast
stream or retaining events in eval-only buses. - Observability events and exports now carry tenant IDs (
org_id,
workspace_id) as ID-only fields. A config-gated authenticated/metrics
endpoint exposes scheduler queue depth, scheduler tick latency, run duration,
gate wait, tool decision, and provider error metrics, while optional Sentry
export is feature-gated and rebuilt through a scrubber that drops prompts,
completions, tool arguments, and free-text details.
Workflow Runtime Reliability
- Workflow definitions now have an opt-in strict action validation path backed
by a typed action registry. Built-in workflow actions validate theirwith
payloads before execution, strict loads reject unknown actions with
source/step/field diagnostics, and MCP/tool actions can be checked against the
host tool catalog schema before a workflow is saved or run. - Session history, Automation V2 run stores, and per-run history shards now use
schema-versioned persistence envelopes. Legacy bare-map/bare-record files load
through explicit v0-to-v1 migrations and rewrite safely, future schema
versions fail closed without overwriting state, compatibility fixtures protect
paused awaiting-approval run state, and the memory DB records its bootstrap
schema in an idempotentschema_migrationsledger. - Automation V2 restart coverage now exercises persisted reload behavior for
queued, awaiting-approval, blocked, and running runs. Golden assertions compare
uninterrupted and restarted outcomes, duplicate approval clicks remain
idempotent, and in-flight consequential work is failed on server restart
without replaying node attempts or fabricating outputs. - Approval-gated Automation V2 runs now have failure-injection coverage for
concurrent approvals, provider failure immediately after approval, stale gate
decisions, half-applied gate decisions after restart, and corrupted checkpoint
entries. Restart recovery settles already-recorded approve/cancel decisions,
preserves rework re-arming, clears stale gate-local failure markers on
approval, and quarantines malformed individual run checkpoints as blocked
diagnostics instead of crashing scheduler startup. - Approval gates now support expiry policy metadata for default and per-gate
deadlines. The executor can auto-cancel expired gates, record reminder or
escalation lifecycle/audit events, redispatch approval notifications with
changing notification keys, reject late human decisions after auto-cancel
expiry, and expose gate deadlines in the unified approvals API and
control-panel inbox. - Session-level PermissionManager asks now persist to durable state with
decision history and provenance-bearing standing rules. Pending prompts left
behind by a restart are markedruntime_restartedso the next tool attempt
re-asks deterministically, and permission replies now write protected audit
evidence with actor, request, decision, and rule provenance. Stale persisted
request IDs are rejected after restart, and concurrent state-file writes are
serialized so simultaneous prompts and decisions remain durable. - Dogfooding bugs now have a permanent replay lane:
eval_datasets/dogfooding_regressions.yaml
seeds five recent workflow/runtime bug classes,bug-monitor-fixturescaffolds
sanitized eval fixtures from Bug Monitor incidents, and a nightly workflow runs
the dogfooding regression dataset througheval-runner --engine-mode stub.
Stub/live eval-runner modes now use Tokio's multithreaded runtime so local
in-process Automation V2 evals do not overflow the single-thread runtime stack. - Rust CI now has a security and coverage lane: cargo-audit, cargo-deny,
documented exception handling, and nightly governance-critical llvm-cov
artifacts fortandem-tools,tandem-plan-compiler, andtandem-automation.
The first cargo-deny baseline records scoped license exceptions with owners,
reasons, and expiry dates so follow-up hardening is auditable. - A seeded approval-gated email demo now exercises the enterprise MCP approval
pattern without real credentials.just demostarts an isolated engine plus a
local HTTP MCP email stub, drafts mail, pauses at an Automation V2 approval
gate, supports approve/cancel/rework paths, sends only after approval, and
writes audit evidence for gate decisions, tool ledger events, drafts, and the
outbox. A nightly non-interactive workflow runs the same path in CI.
Runtime Governance
- Provider auth credential storage now lives in
tandem-providersinstead of
tandem-core, with compatibility re-exports left in core for existing
callers. This starts the TAN-205 crate-boundary cleanup without changing
persisted credential file names or tenant-scoped credential behavior. - Bug Monitor domain logic now lives in a dedicated
tandem-bug-monitorcrate.
The moved layer owns Bug Monitor records, log parsing and evidence artifact
rendering, recurrence comment summaries, deterministic error provenance, and
the GitHub publish algorithm, whiletandem-serverprovides a thin
AppState/HTTP/MCP host shim and compatibility re-exports for current callers.
The host shim keeps duplicate post detection and ambiguous failed-create
suppression on scoped, uncapped storage lookups rather than the public capped
post-list API. - Bug Monitor log sources that start at EOF now keep missing-file health updates
separate from successful first positioning. If a watched log appears later
with bootstrap/history content, Tandem seeks to the end before ingesting new
lines instead of replaying the preexisting file. - The eval framework now lives in a dedicated
tandem-evalcrate. The
eval-runner CLI, datasets/metrics/regression helpers, scripted provider,
isolated AppState bootstrap, and Bug Monitor fixture scaffold moved out of
tandem-server; eval CI now buildscargo build --bin eval-runner -p tandem-evalwhile the server exposes only narrow public eval-support
wrappers for the harness. - Tool execution now flows through a governed dispatcher outside the
tandem-toolscrate. Engine turns, workflow actions, Automation V2 connector
preflight calls, direct HTTP tool execution, planner helpers, pack builder,
and the engine CLI carry tenant context and scope allowlists through one
dispatch path, which records a single policy/scope ledger event for each
dispatch before returning the tool result or denial. - Tool-call parsing, registry resolution, and approval classification now share
the same canonical tool-name normalizer. Function-style invocation parsing is
backed by a structured scanner with a committed 30+ case corpus and generated
parser drift coverage, reducing approval/dispatch disagreement for wrapper
prefixes, aliases, and concrete MCP tool names.
Enterprise MCP Identity
- Added the enterprise MCP identity and delegation design for principal-scoped
MCP connection records, tenant/actor-bound OAuth ownership, explicit run-as
resolution, local single-user migration behavior, and MCP audit identity
fields. - Added the first runtime scaffolding for scoped MCP connection records. The MCP
registry can now persist V2 state with separate server definitions and
connection records, backfill local compatibility connections from legacy
mcp_servers.json, and preserve server definitions that intentionally have no
bound account credential. - Added tenant-aware MCP reconnect and refresh paths for tool execution. When an
enterprise request carries an explicit tenant/actor context, readiness checks
now connect and discover tools with that same context, and OAuth refresh uses
tenant-scoped credential helpers instead of silently falling back to local
credentials. - Added actor-qualified MCP secret ids and exact tenant-context secret
resolution so two employees in the same workspace cannot overwrite or resolve
each other's stored MCP bearer credentials. - Added tenant/actor-scoped MCP OAuth sessions and callbacks. Hosted OAuth
sign-ins now record the initiating tenant context, principal, connection id,
and provider credential id, reject mismatched authenticated callbacks, and
persist refreshed tokens under the scoped connection instead of a shared
server-global provider account. - Tightened tenant/actor OAuth completion after review: pending sign-in polls
now keep returning the initiating session's authorization URL even when
another user starts OAuth for the same MCP server, and callback token storage
updates the scoped connection rather than the shared server row. - Moved authenticated MCP readiness state onto the scoped connection for
explicit tenants. Refresh/discovery now records session ids, pending auth, and
tool caches on the actor's connection, and tenant-aware tool lists read from
that scoped cache while local single-user mode preserves the existing server
row behavior. - Added Automation V2 MCP connection grants plus bridge-level run-as
enforcement. MCP calls can now carry selected connection/principal metadata,
cross-actor connection ids and actor-supplied service-principal selection fail
closed before upstream dispatch, and protected audit records include the
actual acting MCP principal and connection. - Added enterprise MCP isolation regressions for cross-tenant connection-id
denial and OA...
Tandem v0.6.1
See the assets below to download the installer for your platform.
v0.6.1 (2026-06-20)
Tandem 0.6.1 is a focused workflow-runtime patch release for MCP wrapper
actions. It fixes a failure mode where Automation V2 nodes that only needed to
call a concrete MCP wrapper tool were still assigned an implicit JSON artifact
path, which then made the runtime require unrelated workspace writes before the
workflow could advance.
Automation V2 MCP Wrapper Actions
- Action nodes can now explicitly disable synthesized default artifact paths
withmetadata.disable_default_output_path,
builder.disable_default_output_path, orbuilder.output_path_mode = "none". - This lets connector-wrapper workflows, including Composio Gmail draft
approval demos, hand off provider results without being forced through a
workspace artifact write path. - Added regression coverage for the new default-output opt-out behavior.
Approvals Inbox
- The unified approvals endpoint now rehydrates Automation V2 list rows through
the full run record before filtering pending gates, so a stale or skeletal run
list entry can no longer hide a live approval gate. - The control-panel inbox now sorts mixed approval sources by requested time,
putting a fresh demo approval above older ACA approvals.
Automation V2 Recovery And Portability
- Legacy
automation-v2-*context-run directories are now recovered into
Automation V2 run history. Tandem reconstructs run records, checkpoint state,
and automation snapshots fromrun_state.json, then merges the newest
recovered record into history/detail APIs and persists it back to canonical
run storage. - Recovered context runs also appear in the Automation V2 library when enough
snapshot information is present, making interrupted or pre-migration workflow
runs discoverable again instead of stranded in context-run storage. - The control panel can now export an Automation V2 JSON spec from the edit
dialog and import that JSON through the creation wizard, including replacement
confirmation when the imported automation id already exists.
Control Panel Connectivity
- ACA availability probing now has a longer default grace window, so the Coder
dashboard is less likely to flip to disconnected while a recently healthy ACA
endpoint is slow during task selection or board refresh. - When ACA is configured and the Tandem engine is healthy, ACA probe timeouts
are smoothed as degraded-but-available instead of immediately hiding Coder
actions.
MCP Provider Guidance
- The automated-agents guide now documents Composio Connect and scoped Composio
MCP server URLs separately, including generated MCP URL usage,x-api-key
requirements, and REST-only setup examples for creating and generating
Composio MCP server URLs.
Release Metadata
- Bumped Tandem Rust workspace, desktop, npm, and Python manifests to
0.6.1. - Updated the version bump script so the meta-harness crate and desktop Tauri
lockfile are included in future release bumps.
Full Changelog: v0.6.0...v0.6.1
Tandem v0.6.0
See the assets below to download the installer for your platform.
v0.6.0 (2026-06-17)
Tandem 0.6.0 is a security- and assurance-focused release that lays the
foundation for cross-tenant data governance, governed runtime decisions, and
goal-driven capability composition. It adds eval-backed, CI-enforced proof that
tenant boundaries hold at runtime, tenant-scopes approval/audit/provider paths,
hardens MCP and memory egress, and gives operators better ACA cockpit and
feedback surfaces. The later 0.6.0 hardening work also adds an Action
Firewall eval suite, explicit memory ciphertext-at-rest modes, tenant-scoped
protected audit evidence, context-budget/provenance guardrails, EU AI Act
export evidence, repo-intelligence graph queries, runtime observability, and
the first meta-harness evaluation models for scoring workflow candidates.
Desktop Provider Setup
- Desktop settings now has a dedicated Providers tab, so LLM provider setup is
no longer buried in the general Settings page. - OpenAI Codex account auth is available from the desktop provider panel. Users
can sign in through the browser, import an existing local Codex session,
reconnect, or disconnect the stored Codex OAuth session. - Built-in desktop provider coverage now includes OpenAI Codex, OpenRouter,
Anthropic, OpenAI, Groq, Mistral, Together, Cohere, llama.cpp, Ollama, Poe,
Azure OpenAI-compatible, Amazon Bedrock-compatible, Vertex-compatible, and
GitHub Copilot-compatible providers. - Provider/model selection is more robust: authenticated or local/keyless
providers can persist the selected model, while unauthenticated hosted
provider toggles no longer masquerade as configured chat models. Chat session
creation also falls back to the enabled/default provider slot when the model
picker has not populated an explicit value yet. - The engine now honors the managed
OPENCODE_CONFIGpath supplied by the
desktop launcher, keeping the provider UI and sidecar registry in sync during
local Tauri development and packaged desktop runs. - Session creation persistence errors now return structured details instead of
a bare500 Internal Server Error. Windows temp-file sync/replace handling
retries transientAccess is deniedfailures that can happen while saving the
first chat session.
Enterprise Hardening Snapshot
- The Action Firewall now has regression coverage and a demo preset for
protected action decisions before tool execution. - Tenant-scoped protected audit ledger and governance evidence export surfaces
make protected decisions traceable across policy decisions, audit records,
tool-effect ledger entries, and run context. - Cross-tenant grants now have public contract/server implementation surfaces
and positive sharing eval coverage. Ordinary tenant boundaries still fail
closed; cross-tenant access must be represented as an explicit governed grant. - Default data-boundary and cross-tenant grant design docs describe how
governed reads, inbound lookup, trust roots, and explicit sharing compose. - Egress DLP preflight checks outbound agent-team actions before they leave the
runtime boundary. - Sensitive-path basename fallback protections were rechecked, and shared
SSRF URL/IP validation now covers web fetch and browser navigation paths.
Evaluation Gate Assurance
- The per-PR evaluation regression gate now fails closed when
eval-runner
cannot build or when an evaluation run crashes. Earlier CI behavior could
emit hardcoded passing JSON for the critical-path, tenant-isolation, and
action-firewall datasets, creating a plausible green check even when the
runner was broken. The gate now buildseval-runneras a required step, runs
each dataset through the binary directly, and reports missing results in the
PR comment instead of fabricating pass rates. - Full workspace test coverage now runs through
cargo-nextest, and an
end-to-endtandem-enginesmoke-test CLI gives release validation a direct
runtime path rather than only unit-level proof. - The meta-harness work now includes prompt-injection exfiltration and
blast-radius evaluation coverage, expanding the release's regression suite
beyond workflow scoring into adversarial context handling.
Compliance Evidence And Exports
- EU AI Act readiness now includes deployment-scope tracking, Article 50
transparency badges/labels, hash-chained audit ledgers, SIEM export guidance,
and generated-artifact provenance preservation across exports. - Protected-action and approval evidence now records completeness checks, so
operators can distinguish complete, incomplete, and unsupported evidence
packages when auditing governed runtime decisions. - Exported artifacts preserve generation provenance and Article 50 labels,
keeping downstream compliance packages tied to the run and policy evidence
that produced them.
Runtime Diagnostics And Release Safety
- Startup config validation catches invalid or surprising runtime configuration
before the engine proceeds, reducing silent misconfiguration during desktop,
local, and hosted launches. - Runtime observability events are persisted, giving operators and debugging
tools durable lifecycle evidence rather than relying only on transient logs. - Structured HTTP error codes make API failures easier to classify and recover
from, including provider/session setup paths that previously collapsed into
generic server errors. - Tandem-server panic-surface guards, async runtime hygiene checks, and
tandem-tools path sandbox regression tests reduce release risk around server
crashes, blocking runtime mistakes, and filesystem escape regressions.
Repo Intelligence And Workflow Graphs
- Repo intelligence now has manifest/fact extraction, persistent store/query
APIs, context bundle queries, exposed tools, quality regressions, metrics,
debug export, and GraphRAG retrieval improvements. - Workflow and run graph foundations now support context graph storage,
governed query envelopes, runtime planning queries, memory/rerun queries,
failure-causality analysis, workflow impact analysis, routing hints, and
benchmark reporting. - The graph and repo-intelligence crates are included in release automation so
these new diagnostics are built and validated with the shipped workspace.
Cross-Tenant Data Governance
- Hosted and enterprise requests now rely on signed tenant-context assertions
as the trust primitive. Assertions are Ed25519 JWS values selected bykid,
validated against issuer/audience, expiry, explicit deployment scope, actor
consistency, key metadata, allowed resource-scope prefixes, and a replay
policy (boundby default, withone_shotavailable for per-request
issuers).docs/CONTEXT_ASSERTION_SECURITY.mddocuments configuration and
operational guidance. - A dedicated
tenant_isolationevaluation dataset now runs in the per-PR
regression gate, covering must-block scenarios: cross-tenant source/secret
access and cross-tenant memory reads must fail closed and emit audit evidence
(CT-01). - The local eval-runner stub mode boots a real in-process
AppState, so the
cross-tenant evals exercise real tenant-scoped enforcement instead of
deterministically echoed output shapes (CT-16). - A real-engine isolation eval proves that an automation running as tenant A
cannot read a resource that exists only for tenant B through the runtime tool
path (CT-02). - The audit read path (
/audit/stream) is now tenant-scoped: it fails closed
for explicit tenants, recognizes both nestedtenantContextand flat tenant
tags, and remains a no-op for local/single-tenant deployments.fintechand
tool-effect audit events are now tagged with their originating tenant so they
remain visible to their own tenant while staying isolated from others. New
unit, HTTP-integration, and eval coverage assert that tenant B cannot read
tenant A's audit events (CT-04). - Memory promotion is now tenant-scoped, preventing untrusted memory from being
promoted across tenant boundaries. A new eval dataset proves the isolation
(CT-03). - Channel interactions (Discord, Slack, Telegram) now enforce tenant routing,
failing closed at the channel interaction audit layer when cross-tenant access
is attempted (CT-05). - Knowledge retrieval now has a dedicated negative eval proving tenant B cannot
retrieve tenant A's knowledge-base items, and skills isolation is locked by a
regression test showing project skills resolve only from the executing
workspace root (CT-08). - Provider catalog discovery and provider throttles are tenant-scoped. Explicit
hosted tenants use only their own persisted provider auth, cannot inherit
shared config/env/local runtime provider keys, and do not get queued behind
another tenant's provider backoff. - Store-backed MCP secret headers are checked against the executing tenant
before OAuth refresh or outbound MCP calls, returning tenant-scope denials for
cross-tenant secret attempts. - Governance approval receipts now carry the issuing tenant. Cross-tenant
approve/deny attempts fail closed without leaking receipt existence, approval
listing is tenant-scoped, and approval audit events use the real tenant
context (CT-09). - Automation spend/quota guards are keyed by tenant for explicit tenants, so
one tenant's same-named agent cannot pause or block another tenant's run
lifecycle (CT-10).
Memory Security Hardening
- A memory retrieval gateway governs channel reads, applying tenant and source
scoping before retrieved memory is used in channel responses. - Retrieval egress controls (TAN-102) restrict which retrieved memory and
knowledge can leave through session knowledge-base grounding and export paths. - Memory crypto mode is now explicit. Local/default installs remain plaintext,
local encrypted mode stores encryptable memory payload columns as
AES-256-GCM ciphertext, and hosted KMS mode fails ...
Tandem v0.5.13
See the assets below to download the installer for your platform.
v0.5.13 (2026-06-02)
Tandem 0.5.13 combines the Linear-backed Coder intake work with a focused
runtime security hardening pass. The release tightens local API exposure,
workspace mutation defaults, shell execution, tenant scoping, audit/event
visibility, secret storage, and browser/provider network guardrails.
Coder Linear Intake
- The Coder control panel can now register ACA projects backed by Linear teams
and projects, with optional launch-status, label, and search-query filters. - The Coder intake board now renders both GitHub Project items and Linear
issues through one scheduler-aware issue board, including batch launch,
active-run detection, and direct issue links. - Coder overview and intake refresh messaging now reflect the selected issue
source, including Linear MCP connection state when a Linear-backed project is
selected.
Automations V2 Reliability
- Automations V2 completion is now gated by terminal checkpoint integrity and
contract-aware deliverable assertions instead of only checking for empty
pending-node queues. - Required file deliverables must exist, be substantive, and pass basic shape
checks; missing or weak deliverables requeue the owning node while repair
attempts remain. - Required email delivery and generic outbound connector actions now need
successful receipt evidence before the run can complete. Model prose alone no
longer satisfies governed side effects. - Workflow graph validation now rejects dependency cycles and keeps
input_refs
aligned with readiness dependencies, including through budget compaction and
strict sequential plans. - Verification failures now retry through the repair path until attempt budget
is exhausted, and verification failure detection is scoped to verification
output rather than unrelated artifact prose. - Recoverable tool execution errors are surfaced to the model for adaptation,
while cancellation, shutdown, runtime-not-ready, and write-required
permission failures remain loud failures. - Timer-triggered automations now dedupe queued/running runs the same way watch
triggers do, preventing slow scheduled workflows from accumulating backlogs. - Parked-state lifecycle handling is explicit: approval gates can be marked as
visibly stale under a manual-only policy, guardrail-stopped runs can
auto-resume after approved quota overrides, stale reaping honors active
run-registry heartbeats, and node execution uses idle/no-progress timeouts
with an absolute ceiling. - Warning outcomes are now consistent across runtime and learning surfaces:
accepted_with_warningsremains passable only without unmet requirements,
but it is not counted as a clean workflow-learning validation pass and does
not generate positive learning evidence.
Runtime Security Hardening
- Local engine HTTP API startup now refuses unauthenticated non-loopback binds,
and token-clearing no longer reopens the API. - HTTP MCP registration rejects arbitrary
stdio:transports. - File write, edit, and patch tools now ask by default instead of silently
mutating the workspace. - Batch sub-calls pass through permission and sandbox evaluation so nested tool
calls cannot skip approval gates. - Workspace and write-policy checks fail closed when no workspace root can be
resolved. - Shell execution uses Linux
bubblewrapconfinement by default, requires
workspace context, and requires an explicit unsafe opt-out for unsandboxed
shell execution. - Automation auto-approval now treats empty allowlists as deny-all and refuses
to auto-approve shell tools. - Local single-tenant mode ignores caller-supplied tenant headers; hosted and
enterprise tenant context continues to require signed assertions. - Run event streams, audit streams, and project listing now enforce tenant
ownership/visibility checks. - API tokens, vault keys, and TUI keystores are written with owner-only Unix
permissions, and vault passphrases replace the previous 4-digit PIN model. - Browser navigation fails closed without an allowlist and blocks local/private
targets; provider base URL validation rejects unsafe remote HTTP endpoints. - Provider credential debug output and bug-monitor log redaction now avoid
leaking plaintext secrets.
Compatibility Notes
- Linux hosts that need shell execution must have
bubblewrapavailable, or
explicitly setTANDEM_UNSAFE_UNSANDBOXED_SHELL=1for trusted local-only
development. - Local clients should rely on the generated/shared API token rather than
clearing token auth during development.
Full Changelog: v0.5.12...v0.5.13
Tandem v0.5.12
See the assets below to download the installer for your platform.
v0.5.12 (2026-05-27)
Tandem 0.5.12 hardens the hosted control-panel sign-in path and starts the
hosted organization access model inside the runtime. Hosted panel sessions now
carry Tandem-signed org-unit membership, capabilities, and policy-version
context, and automation v2 resources can be private, group-shared, or org-wide.
Hosted Panel Access
- Hosted panel session exchange and refresh payloads now preserve org units,
effective capabilities, and policy version from Tandem-hosted identity. /api/auth/meexposes the hosted access context so the control panel can
filter navigation and actions without treating UI hiding as enforcement.- The control-panel proxy now uses capabilities for hosted reads, automation
execution, automation writes, and sharing actions before forwarding requests
to the engine.
Runtime Resource Sharing
- Hosted automation v2 creation stamps owner/private access metadata from the
verified Tandem assertion instead of trusting caller-provided user fields. - Automation v2 list/read/run routes enforce private, group, and org visibility
in hosted mode. Private automations remain visible to their creator and
hosted admins. - Owners/admins can update automation visibility through
POST /automations/v2/{id}/share, setting private, group, or org-wide
access. - Automation mutation and repair routes now require owner/admin access for
hosted resources, while legacy/local unscoped operation remains compatible.
Compatibility
- Slack, Discord, and Telegram approval-gate integrations continue to call the
runtime gate-decision path without requiring a browser hosted assertion.
Full Changelog: v0.5.11...v0.5.12