Skip to content

Releases: frumu-ai/tandem

Tandem v0.6.7

Choose a tag to compare

@github-actions github-actions released this 05 Jul 14:32

See the assets below to download the installer for your platform.

v0.6.7 (2026-07-05)

Tandem 0.6.7 completes the secure data-boundary foundation and ships a focused
channel reliability pass for Telegram, Discord, and Slack. The data-boundary
work now spans the standalone policy/evidence crate, runtime provider-gate
integration, enforcement actions, protected audit records, source-side guards,
and an admin monitoring read model. The channel work fixes the recent
production failure modes around Codex OAuth refresh, retired provider defaults,
partial channel configs, false-positive auth-error sanitization, and
cross-user/cross-scope memory isolation.

Secure Data Boundary

The new tandem-data-boundary decision engine now evaluates sensitive-data
findings against provider boundary policy without persisting raw prompt text,
tool output, secrets, customer data, or model output. Decisions, findings, and
runtime events carry only audit-safe evidence such as classes, counts, spans,
reason codes, payload hashes, policy fingerprints, provider/model metadata, and
tenant/workspace/deployment refs.

Runtime integration is now available behind TANDEM_DATA_BOUNDARY_MODE
(off, audit, or enforce). In audit mode the engine evaluates the fully
assembled provider request immediately before dispatch and records
data_boundary.* events plus consequential protected-audit entries without
blocking or mutating requests. In enforce mode the gate can block dispatch,
redact/tokenize matched spans, require explicit operator approval, or fail
closed when strict posture requirements are not met. Provider classification is
configurable through TANDEM_DATA_BOUNDARY_PROVIDER_CLASSES, with built-in
local defaults for loopback providers and strict fail-closed behavior for
unclassified or prohibited providers when enabled.

Data-boundary coverage also now observes source material before it becomes
provider context: tool/MCP results, prompt-context-hook injections, and
workflow email-delivery artifacts emit audit-safe data_boundary.evaluated
events when findings exist. A new admin-gated
GET /audit/data-boundary/monitoring endpoint aggregates protected-audit
records by tenant, provider, model, boundary class, action, sensitive class,
source kind, classification source, policy fingerprint, and repeated payload
hashes. Planning docs define the future policy UI/API and local-routing
contract without adding a second enforcement path.

Context And Memory Safety

Long tool-heavy sessions now demote stale historical tool invocations in
provider-facing chat history to concise summaries with provenance handles,
while preserving recent invocations and leaving stored session records
untouched. This reduces repeated provider context load and adds telemetry for
demoted invocation count and saved characters.

Channel memory isolation was tightened across the write, read, and tool paths.
Channel prompt requests now include a platform-and-sender memory subject so one
Telegram/Discord/Slack user no longer shares the generic default global
memory subject with every other bot user. Channel memory tools now trust the
engine-injected session/project scope instead of model-supplied overrides, and
channel models can no longer write global-tier memory. Governed run-memory
ingestion now preserves tenant context on user/assistant/tool records, and
memory_delete/memory_demote enforce subject ownership before mutating
global memory records outside local unrestricted mode.

Channel And Provider Reliability

OpenAI Codex OAuth credentials managed by codex-cli can now refresh in
process from the persisted refresh token. The session run retry path forces a
refresh and retries once after an AUTHENTICATION_ERROR, and refresh failures
publish internal reauth signals instead of only surfacing raw channel errors.
Web-served control panels now derive the Codex OAuth callback from the public
panel URL or forwarded origin when available, while preserving localhost
callbacks for local desktop flows.

The Codex model catalog removed the phantom gpt-5.1-codex-max entry, added
gpt-5.6, and now heals a persisted default model when it no longer exists in
the supported catalog, falling back to the compiled gpt-5.5 default instead
of failing every channel run. Channel startup now tolerates saved Slack,
Discord, or Telegram entries that are partially configured or redacted, filters
incomplete listeners before startup, and reports connection state from runnable
listener config instead of merely from saved channel entries.

Channel auth-error sanitization is now more precise: real leading
ENGINE_ERROR: AUTHENTICATION... replies are still hidden from Telegram,
Discord, and Slack users, but ordinary explanatory responses that merely
mention AUTHENTICATION_ERROR or ENGINE_ERROR are no longer replaced with the
generic "assistant temporarily unavailable" message.

Setup And Release Tooling

Setup no longer lets repo-root .env.example hijack machine-specific engine or
control-panel state directories. Example values for TANDEM_STATE_DIR and
TANDEM_CONTROL_PANEL_STATE_DIR are ignored during bootstrap, while real
overrides from the user's own .env or existing generated env file still win.
This prevents Linux deployments from accidentally writing state into a literal
Windows-style %HOME%\...\.bench-state path.

The release-note extractor now refuses to publish notes that still say
Unreleased or long unstructured walls of text without headings/bullets, so
GitHub release bodies fail closed instead of shipping unreadable generated
notes.

Full Changelog: v0.6.6...v0.6.7

Tandem v0.6.6

Choose a tag to compare

@github-actions github-actions released this 04 Jul 19:39

See the assets below to download the installer for your platform.

v0.6.6 (2026-07-04)

Tandem 0.6.6 fixes a production reliability gap in channel messaging: Telegram,
Discord, and Slack replies (along with automations and scheduled runs) could
fail with AUTHENTICATION_ERROR once the OpenAI Codex OAuth access token
expired, because the token was previously only refreshed as a side effect of
the control panel polling its own status endpoint. An engine-side background
task now keeps that credential fresh on its own schedule, and any run that
still hits an expired token refreshes and retries once transparently before
surfacing an error to the channel. Channel status reporting was also
corrected so a connected listener no longer shows as disconnected from a
stale boot-time snapshot, and a config parse failure that used to silently
disable every channel now logs loudly instead.
This release also continues hardening the stateful automation runtime:
retrying a dead-lettered tool effect now actually re-executes it through the
normal governed dispatch path instead of only recording intent, a new
compensation execution engine drives compensate_pending_effects recovery
choices through an auditable runtime path with idempotent completions, and a
startup-recovery sweep replays durable-wait wakes that could previously be
lost if the engine crashed between finalizing a wait and requeuing its run.
Webhook intake retention no longer runs a synchronous full-tenant prune
inline on every request (now bounded by a hard event cap and handled by the
existing background reaper), and an early-arriving correlated webhook now
replays against a wait registered just after it arrives instead of orphaning
its run. Three security hardening passes landed alongside this work:
knowledge-scope memory governance now fails closed for records missing
scope metadata, stateful runtime tenant scoping was tightened across
approvals and MCP phase tool authority, and unsigned dev-mode webhook
signatures can no longer be enabled outside local single-tenant mode
regardless of the opt-in flag.
The Control Panel received a substantial design-consistency pass: a real
Icon component replaces the previous DOM-scan/MutationObserver icon
mechanism that could drop or duplicate icons under Preact's diffing;
hardcoded colors that broke the Porcelain light theme (most visibly,
near-invisible panel headings) and an off-theme calendar were routed through
theme tokens; border-radius, caption/micro text sizes, and dead glow/glass
CSS were consolidated onto single mechanisms; the sidebar's 19 routes are now
grouped into labeled sections; Enterprise Admin's six creation forms moved
into on-demand drawers; and a dismissible setup banner replaced the floating
onboarding modal. Several smaller fixes round out the pass: the chat right
rail is now reachable on tablet/small-laptop widths via a drawer, a blocked
automation status no longer renders as success-green, first paint no longer
flashes the wrong theme, and a handful of icon-only controls gained
accessible names.

Full Changelog: v0.6.5...v0.6.6

Tandem v0.6.5

Choose a tag to compare

@github-actions github-actions released this 03 Jul 17:08

See the assets below to download the installer for your platform.

v0.6.5 (Unreleased)

Tandem 0.6.5 is currently in development. This train starts the stateful agent
runtime work with enterprise-aware durable run scope, event, and snapshot
foundations. Snapshot-backed automation runs now expose stable definition
versions and sha256: snapshot hashes for future replay and resume checks, and
restart-interrupted Automation V2 runs are queued for resume when their
persisted checkpoint is recoverable while corrupt in-flight records continue to
fail closed. Automation V2 retry handling now also has a shared policy schema
and structured retry decision record so node failures can explain retryability,
attempt budget, terminal behavior, and next retry timing while preserving legacy
max_attempts compatibility.
The new tandem-data-boundary crate establishes the secure data-boundary
foundation for future provider-routing and context-governance work. It defines
serializable policy, input, finding, decision, and event contract types that
carry provider/model metadata, tenant/workspace/deployment refs, payload hashes,
policy fingerprints, reason codes, action tags, and finding counts without
embedding raw prompts, tool results, secrets, customer data, or model outputs.
It now also includes deterministic local detector findings for common PII,
financial, credential, secret, private-key, AWS-key, high-entropy, and simple
PHI marker spans, with evidence hashes plus redaction/tokenization placeholder
maps that preserve prompt structure without persisting raw matched values.
fail closed. Automation V2 run claims are now persisted with lease metadata, and
expired launch claims without active session or agent handles are reclaimed back
to the queue so only one executor can safely resume the run.
fail closed. Automation V2 webhook intake now persists tenant-scoped
idempotency keys before creating runs, reports accepted/duplicate/conflict
dedupe outcomes on delivery records and SDK types, and keeps original
delivery/run correlation available after restarts so provider retries do not
fan out duplicate automation runs.
Durable stateful runs now carry explicit workflow phases, transition history,
and allowed next phases so future long-running automation APIs can resume,
pause, and inspect runs through a guarded state machine instead of ad hoc
status strings. Legacy stateful runtime snapshots that predate those phase
fields derive a compatible phase state from their stored status when read.
Automation webhooks now persist tenant-scoped raw inbox events with raw payload
pointers, body/header digests, redacted header previews, and delivery/run
correlation for accepted, rejected, and duplicate intake paths.
Automation webhooks now use a provider-aware signature verification registry
with queryable delivery verification metadata, keeping Tandem HMAC compatibility
while preparing GitHub-style and shared-secret provider schemes.
Durable wait foundations now persist timer/webhook/approval wait metadata,
tenant-boundary identity, wake times, timeout policy, and wake claim state for
future sleep/resume scheduling.
The Automation V2 executor now runs a durable stateful wait scheduler tick that
claims due waits, recovers missed timer wakeups after downtime, records
idempotent wake/timeout events and snapshots, and marks timeout cancellations
or escalations for operator visibility.
Timer and webhook wait completions now reserve only the active leased claim
before durable wake writes, then terminalize the wait with the locked per-run
event sequence after those writes finish so concurrent completions cannot race
into duplicate sequence numbers.
Stateful runtime persistence now hardens wait, reliability, snapshot, and event
logs for crash recovery: JSON store mutations fail closed by sidelining corrupt
files, atomic writes sync temp files before rename, and event-log appends repair
torn JSONL tails before writing the next durable event.
Enterprise policy inheritance now preserves compliance floors before runtime
wiring: ancestor deny and approval-required rules block weaker descendant rules
unless explicitly marked overridable, and tenant/org-unit/workflow/phase scope
IDs are normalized for matching so case drift cannot suppress deny rules or hide
stateful runtime org-unit summaries and active grants.
Runtime policy decisions now consume that resolver directly: the server loads
enterprise/policy_rules.json, resolves each recorded policy decision through
the enterprise inheritance model across every recorded data class, enforces the
resolved result in gate, authority, fintech protected-action receipt, MCP
preflight, and memory promotion helpers, and stores inherited sources for replay.
Knowledge-scope memory governance now fails closed for source-bound gaps:
workflow-phase retrieval requires registered source-bound scope metadata, and
source-bound memory writes or promotions are blocked unless the derived memory
carries explicit knowledge_scope_registry policy metadata that matches the
source resource, source binding, and data class being written or promoted.
Source-bound manual imports now stamp imported chunks with that matching
registry metadata so governed workflow-phase reads can authorize imported
source chunks instead of hiding them as unregistered source-bound memory.
Promotion checks also preserve that source-resource registry shape when
validated source-binding metadata is present, while authority-only scope claims
still require a source_binding registry resource.
Automation V2 runs now also bridge those durable waits back into the live run
store: approval gates register and complete stateful approval waits, while
timer and webhook wait wakes requeue the authoritative automation run so the
executor can resume after a persisted wake event.
Stateful runtime event and snapshot read endpoints are now available for
tenant-filtered replay/debug and future control-panel views.
Stateful runtime run list and detail endpoints now provide canonical
tenant-filtered run records with current wait, latest event, latest snapshot,
and replay-boundary metadata, and the control-panel run list prefers those
endpoints while retaining the legacy fan-out fallback.
Canonical stateful runtime run responses now also include enterprise scope
summaries with resolved organization units, active org-unit grants, visible
knowledge source bindings, and filters for org unit, owner, resource, policy,
data class, risk tier, delegation grant, and source binding. The Control Panel
run dashboard surfaces those fields as scope metrics, filters, and per-run scope
cards.
Automation V2 lifecycle transitions now project into the authoritative
stateful runtime event and snapshot stores. Each newly recorded lifecycle
boundary gets an idempotent stateful event, monotonic per-run sequence, summary
snapshot, checkpoint digest, and workflow definition version/hash metadata so
future replay and resume paths can inspect durable run history without reading
only the hot embedded checkpoint.
Automation V2 run records now also persist first-class workflow definition
version and snapshot hash fields, backfill them from existing run snapshots on
load, expose them through SDK types, and fail restart recovery closed if the
recorded snapshot hash no longer matches the available definition.
Incident Monitor routing now supports Linear issue destinations
with MCP readiness checks, duplicate issue matching, destination-aware receipts,
and external-action records, and publish/recheck errors include the underlying
destination failure chain for easier operator diagnosis.
Incident Monitor routing also supports signed webhook destinations
with env-backed HMAC secrets, default SSRF blocking for private/internal URLs,
bounded payloads and response excerpts, capped retry attempts, and durable
per-delivery receipts. URL validation classifies parsed IPv4/IPv6 literals
before DNS lookup so IPv4-mapped private IPv6 webhook hosts fail closed
consistently across platforms.
Incident Monitor routing now also supports local telemetry and
internal memory destinations. Telemetry publishes durable destination-aware post
receipts that can be filtered by destination id, while internal memory
destinations store bounded, redacted summaries with category-specific record
refs and duplicate suppression.
Generic MCP tool destinations can now be configured for Incident Monitor routing.
These destinations fail closed unless an admin-configured
destination names the MCP server/tool, sets allow_publish, and provides an
explicit payload mapping. Route preview reports server/tool/mapping readiness
without executing tools, and publish attempts record destination, route, tool,
redacted receipt, duplicate-suppression, and failure details.
Incident Monitor incidents can now carry AI-agent safety and risk context without
breaking existing submissions. Drafts and incidents persist
redacted actor, model, tool, action, policy, approval state, risk category,
blast radius, and external correlation ids; SDK models and destination payloads
expose the context, and route preview can match risk categories for targeted
safety routing.
Incident Monitor can now generate production deployment cards for governed
agents, workflows, monitored sources, and Tandem self-monitoring. The read-only
endpoint combines authority inventory with operator-supplied purpose, owner,
accountability, approval, escalation, data-classification, and review metadata,
exports JSON/Markdown cards, and returns structured posture findings when
required production-governance fields are missing. Monitored-source cards now
link source posture evidence by source/project identifiers as well as canonical
source refs.
Incident Monitor monitored sources now have first-class data-readiness gates.
Projects and log sources can declare owner, system of record, classification,
allowed use, lineage/source-of-truth, freshness SLA and observation timestamp,
expected schema version...

Read more

Tandem v0.6.4

Choose a tag to compare

@github-actions github-actions released this 28 Jun 13:01

See the assets below to download the installer for your platform.

v0.6.4 (2026-06-28)

Tandem 0.6.4 adds secure Automation V2 webhook management and improves the
control-panel editing experience for generated workflow automations. Operators
can configure scoped webhook triggers, inspect sanitized delivery history, and
use the Studio-inspired workflow map to understand and tune generated nodes,
especially prompts and MCP-bound steps, from the existing edit modal.

Automation Webhooks

  • Automation V2 now exposes authenticated webhook management APIs for trigger
    list/create/read/update/disable/delete, one-time secret rotation, and scoped
    delivery history inspection without making public intake routes part of the
    management surface.
  • The Edit workflow automation modal now includes webhook trigger management:
    create triggers, copy callback URLs, reveal generated secrets once, rotate or
    disable triggers, and inspect sanitized recent deliveries with queued run
    references.
  • Management responses redact raw secrets, stored secret references, secret
    digests, raw payloads, auth headers, cookies, bearer tokens, and API-key-like
    preview fields while preserving safe delivery metadata for operators.

Automation Webhooks

  • Automation V2 now accepts signed public webhook deliveries at trigger-scoped
    URLs without requiring the normal Tandem transport token on that one route.
    The handler resolves tenant and automation only from the stored trigger,
    verifies HMAC signatures and replay windows, enforces JSON payload handling,
    and records sanitized internal rejection delivery records without leaking
    trigger, tenant, automation, or signature details in public errors.
  • Accepted webhook deliveries now queue Automation V2 runs with
    trigger_type = "webhook", delivery/trigger/provider provenance on the run
    snapshot, tenant context inherited from the trigger-bound automation,
    duplicate suppression, and automation.v2.run.created events with
    triggerType: "webhook".

Visual Workflow Editing

  • The Edit workflow automation modal now starts with a Studio-inspired flow
    map that groups workflow nodes into dependency stages, shows start nodes and
    upstream dependency counts, and flags missing dependencies before operators
    start editing individual node prompts.
  • Flow-map node cards summarize the details operators need while reviewing a
    generated automation: bound agent, objective preview, input-reference count,
    output kind, inherited workflow MCP servers, task-specific MCP overrides, and
    send-capable MCP tool usage.
  • Selecting a node in the map scrolls directly to that node's prompt/model/MCP
    editor card and highlights it, making generated workflows easier to adjust
    without hunting through a long modal.
  • Workflow edit drafts now retain dependency, input-reference, stage, and output
    metadata from the saved automation payload so the visual editor can represent
    the actual generated flow instead of only showing editable prompt text.
  • The prompt editor section now opens by default, which makes the map useful for
    generic reusable workflow tuning where the common edit is changing a node's
    objective prompt while keeping the generated structure intact.

Full Changelog: v0.6.3...v0.6.4

Tandem v0.6.3

Choose a tag to compare

@github-actions github-actions released this 27 Jun 14:19
6c715b7

See the assets below to download the installer for your platform.

v0.6.3 (2026-06-26)

Tandem 0.6.3 is a patch release for workflow-runtime reliability and Bug
Monitor routing. It repairs the MCP/Notion/Composio workflow paths exercised by
the Reddit infrastructure leads automation, and it advances Bug Monitor toward
destination-neutral incident routing while preserving the current GitHub
publishing behavior.

Automation V2 MCP Workflows

  • Automation V2 execution errors now classify provider request failures as
    transient and give provider/write-related artifact misses a minimum retry
    budget before terminal failure. This prevents low-retry Reddit/Notion workflow
    branches from failing immediately on flaky provider calls or missing artifact
    writes.
  • Workflow edits now preserve the full Automation V2 agents and flow payload
    when saving from the summary editor, so MCP-enabled workflows do not lose node
    execution configuration after operators change model routing, swarm settings,
    or MCP access.
  • Exact connector-tool workflows no longer receive contradictory instructions
    to call mcp_list first when concrete MCP tools are already bound. This keeps
    Notion/Composio-style automations on the intended tool path and avoids
    required-tool failures caused by discovery-only turns.
  • Workflow artifact and source validation now treats MCP tool ids as connector
    tools instead of workspace files, carries upstream artifact paths into
    concrete source coverage, and recognizes Notion page/database operations as
    outbound connector actions.
  • Connector action progress is guarded more tightly: artifact-write nodes only
    complete after a productive write to the declared artifact target, blocked
    runs clean up correctly, and runtime tests cover the connector-action review
    and artifact-write failure modes.
  • MCP OAuth cleanup now removes stale secret-header and OAuth credential
    material when auth is deleted, canonical OAuth credentials can be reused during
    refresh, and MCP public base URL handling is shared through one helper.
  • Connector-backed workflow searches now capture full remote result files into
    run artifacts before model filtering. This prevents large Composio Reddit
    responses from being reduced to model-visible previews, which previously let
    runs complete cleanly while leaving downstream Notion writer nodes with too
    few or zero rows.
  • Generic connector-row filtering now reads validated source artifacts,
    preserves writer-ready fields such as title, link, author, and duplicate-key
    values, and hands Notion writers complete rows without relying on
    workflow-specific prompt fixes. The Reddit infrastructure leads workflow was
    used as the validation shape, but the materialization path is connector
    generic for larger future data-collection workflows.

MCP Control Panel

  • MCP Settings now keeps large tool allowlists collapsed by default with an
    animated expand control, reducing the amount of space each connected server
    consumes in the list.
  • MCP servers that still require OAuth or are otherwise disconnected are sorted
    to the top so operators can see and complete the required connection step
    before trying to use the server in workflows.
  • The built-in MCP catalog copy now uses clearer add wording instead of the
    previous pack-oriented label, and scoped MCP inventory output is more compact
    for large connected servers.

Bug Monitor Routing

  • Bug Monitor now has destination-neutral Incident Monitor routing foundations:
    destination readiness, route preview APIs, destination-aware post
    filtering/idempotency, and TypeScript/Python SDK types.
  • A centralized bug_monitor::router handles route preview, route matching,
    destination readiness checks, and publish dispatch for manual, automatic,
    approval, recovery, timeout, and service paths. GitHub remains the only
    executable destination in this phase, and unsupported destination overrides
    fail closed without creating posts.
  • Monitored projects and log sources can now carry route bindings for source
    kind, route tag, destination allow/default policy, tenant/workspace scope,
    approval policy, redaction, and retention metadata.
  • Source bindings propagate through log watcher intake, scoped raw reports,
    drafts, incidents, route preview, recovery publishes, and publish validation.
    Raw source-supplied routing fields are sanitized before configured source
    lookup, granted approvals are respected, and high-risk raw sources default to
    safer approval behavior.
  • Control Panel source setup display, SDK event models, external-log intake
    documentation, and regression coverage were updated for source-bound routing.

Full Changelog: v0.6.2...v0.6.3

Tandem v0.6.2

Choose a tag to compare

@github-actions github-actions released this 23 Jun 08:37

See the assets below to download the installer for your platform.

v0.6.2 (2026-06-23)

Tandem 0.6.2 starts the enterprise MCP identity workstream for multi-employee
runtime deployments. The first change is a source-of-truth design for separating
MCP server definitions from user-owned, service-principal, shared, and delegated
MCP connections.

Runtime Observability

  • Runtime event persistence now consumes an opt-in bounded event-bus queue, so
    canonical run/session events published after persister registration are
    written to runtime/events.jsonl without depending on the live broadcast
    stream or retaining events in eval-only buses.
  • Observability events and exports now carry tenant IDs (org_id,
    workspace_id) as ID-only fields. A config-gated authenticated /metrics
    endpoint exposes scheduler queue depth, scheduler tick latency, run duration,
    gate wait, tool decision, and provider error metrics, while optional Sentry
    export is feature-gated and rebuilt through a scrubber that drops prompts,
    completions, tool arguments, and free-text details.

Workflow Runtime Reliability

  • Workflow definitions now have an opt-in strict action validation path backed
    by a typed action registry. Built-in workflow actions validate their with
    payloads before execution, strict loads reject unknown actions with
    source/step/field diagnostics, and MCP/tool actions can be checked against the
    host tool catalog schema before a workflow is saved or run.
  • Session history, Automation V2 run stores, and per-run history shards now use
    schema-versioned persistence envelopes. Legacy bare-map/bare-record files load
    through explicit v0-to-v1 migrations and rewrite safely, future schema
    versions fail closed without overwriting state, compatibility fixtures protect
    paused awaiting-approval run state, and the memory DB records its bootstrap
    schema in an idempotent schema_migrations ledger.
  • Automation V2 restart coverage now exercises persisted reload behavior for
    queued, awaiting-approval, blocked, and running runs. Golden assertions compare
    uninterrupted and restarted outcomes, duplicate approval clicks remain
    idempotent, and in-flight consequential work is failed on server restart
    without replaying node attempts or fabricating outputs.
  • Approval-gated Automation V2 runs now have failure-injection coverage for
    concurrent approvals, provider failure immediately after approval, stale gate
    decisions, half-applied gate decisions after restart, and corrupted checkpoint
    entries. Restart recovery settles already-recorded approve/cancel decisions,
    preserves rework re-arming, clears stale gate-local failure markers on
    approval, and quarantines malformed individual run checkpoints as blocked
    diagnostics instead of crashing scheduler startup.
  • Approval gates now support expiry policy metadata for default and per-gate
    deadlines. The executor can auto-cancel expired gates, record reminder or
    escalation lifecycle/audit events, redispatch approval notifications with
    changing notification keys, reject late human decisions after auto-cancel
    expiry, and expose gate deadlines in the unified approvals API and
    control-panel inbox.
  • Session-level PermissionManager asks now persist to durable state with
    decision history and provenance-bearing standing rules. Pending prompts left
    behind by a restart are marked runtime_restarted so the next tool attempt
    re-asks deterministically, and permission replies now write protected audit
    evidence with actor, request, decision, and rule provenance. Stale persisted
    request IDs are rejected after restart, and concurrent state-file writes are
    serialized so simultaneous prompts and decisions remain durable.
  • Dogfooding bugs now have a permanent replay lane: eval_datasets/dogfooding_regressions.yaml
    seeds five recent workflow/runtime bug classes, bug-monitor-fixture scaffolds
    sanitized eval fixtures from Bug Monitor incidents, and a nightly workflow runs
    the dogfooding regression dataset through eval-runner --engine-mode stub.
    Stub/live eval-runner modes now use Tokio's multithreaded runtime so local
    in-process Automation V2 evals do not overflow the single-thread runtime stack.
  • Rust CI now has a security and coverage lane: cargo-audit, cargo-deny,
    documented exception handling, and nightly governance-critical llvm-cov
    artifacts for tandem-tools, tandem-plan-compiler, and tandem-automation.
    The first cargo-deny baseline records scoped license exceptions with owners,
    reasons, and expiry dates so follow-up hardening is auditable.
  • A seeded approval-gated email demo now exercises the enterprise MCP approval
    pattern without real credentials. just demo starts an isolated engine plus a
    local HTTP MCP email stub, drafts mail, pauses at an Automation V2 approval
    gate, supports approve/cancel/rework paths, sends only after approval, and
    writes audit evidence for gate decisions, tool ledger events, drafts, and the
    outbox. A nightly non-interactive workflow runs the same path in CI.

Runtime Governance

  • Provider auth credential storage now lives in tandem-providers instead of
    tandem-core, with compatibility re-exports left in core for existing
    callers. This starts the TAN-205 crate-boundary cleanup without changing
    persisted credential file names or tenant-scoped credential behavior.
  • Bug Monitor domain logic now lives in a dedicated tandem-bug-monitor crate.
    The moved layer owns Bug Monitor records, log parsing and evidence artifact
    rendering, recurrence comment summaries, deterministic error provenance, and
    the GitHub publish algorithm, while tandem-server provides a thin
    AppState/HTTP/MCP host shim and compatibility re-exports for current callers.
    The host shim keeps duplicate post detection and ambiguous failed-create
    suppression on scoped, uncapped storage lookups rather than the public capped
    post-list API.
  • Bug Monitor log sources that start at EOF now keep missing-file health updates
    separate from successful first positioning. If a watched log appears later
    with bootstrap/history content, Tandem seeks to the end before ingesting new
    lines instead of replaying the preexisting file.
  • The eval framework now lives in a dedicated tandem-eval crate. The
    eval-runner CLI, datasets/metrics/regression helpers, scripted provider,
    isolated AppState bootstrap, and Bug Monitor fixture scaffold moved out of
    tandem-server; eval CI now builds cargo build --bin eval-runner -p tandem-eval while the server exposes only narrow public eval-support
    wrappers for the harness.
  • Tool execution now flows through a governed dispatcher outside the
    tandem-tools crate. Engine turns, workflow actions, Automation V2 connector
    preflight calls, direct HTTP tool execution, planner helpers, pack builder,
    and the engine CLI carry tenant context and scope allowlists through one
    dispatch path, which records a single policy/scope ledger event for each
    dispatch before returning the tool result or denial.
  • Tool-call parsing, registry resolution, and approval classification now share
    the same canonical tool-name normalizer. Function-style invocation parsing is
    backed by a structured scanner with a committed 30+ case corpus and generated
    parser drift coverage, reducing approval/dispatch disagreement for wrapper
    prefixes, aliases, and concrete MCP tool names.

Enterprise MCP Identity

  • Added the enterprise MCP identity and delegation design for principal-scoped
    MCP connection records, tenant/actor-bound OAuth ownership, explicit run-as
    resolution, local single-user migration behavior, and MCP audit identity
    fields.
  • Added the first runtime scaffolding for scoped MCP connection records. The MCP
    registry can now persist V2 state with separate server definitions and
    connection records, backfill local compatibility connections from legacy
    mcp_servers.json, and preserve server definitions that intentionally have no
    bound account credential.
  • Added tenant-aware MCP reconnect and refresh paths for tool execution. When an
    enterprise request carries an explicit tenant/actor context, readiness checks
    now connect and discover tools with that same context, and OAuth refresh uses
    tenant-scoped credential helpers instead of silently falling back to local
    credentials.
  • Added actor-qualified MCP secret ids and exact tenant-context secret
    resolution so two employees in the same workspace cannot overwrite or resolve
    each other's stored MCP bearer credentials.
  • Added tenant/actor-scoped MCP OAuth sessions and callbacks. Hosted OAuth
    sign-ins now record the initiating tenant context, principal, connection id,
    and provider credential id, reject mismatched authenticated callbacks, and
    persist refreshed tokens under the scoped connection instead of a shared
    server-global provider account.
  • Tightened tenant/actor OAuth completion after review: pending sign-in polls
    now keep returning the initiating session's authorization URL even when
    another user starts OAuth for the same MCP server, and callback token storage
    updates the scoped connection rather than the shared server row.
  • Moved authenticated MCP readiness state onto the scoped connection for
    explicit tenants. Refresh/discovery now records session ids, pending auth, and
    tool caches on the actor's connection, and tenant-aware tool lists read from
    that scoped cache while local single-user mode preserves the existing server
    row behavior.
  • Added Automation V2 MCP connection grants plus bridge-level run-as
    enforcement. MCP calls can now carry selected connection/principal metadata,
    cross-actor connection ids and actor-supplied service-principal selection fail
    closed before upstream dispatch, and protected audit records include the
    actual acting MCP principal and connection.
  • Added enterprise MCP isolation regressions for cross-tenant connection-id
    denial and OA...
Read more

Tandem v0.6.1

Choose a tag to compare

@github-actions github-actions released this 20 Jun 20:48
de53e4d

See the assets below to download the installer for your platform.

v0.6.1 (2026-06-20)

Tandem 0.6.1 is a focused workflow-runtime patch release for MCP wrapper
actions. It fixes a failure mode where Automation V2 nodes that only needed to
call a concrete MCP wrapper tool were still assigned an implicit JSON artifact
path, which then made the runtime require unrelated workspace writes before the
workflow could advance.

Automation V2 MCP Wrapper Actions

  • Action nodes can now explicitly disable synthesized default artifact paths
    with metadata.disable_default_output_path,
    builder.disable_default_output_path, or builder.output_path_mode = "none".
  • This lets connector-wrapper workflows, including Composio Gmail draft
    approval demos, hand off provider results without being forced through a
    workspace artifact write path.
  • Added regression coverage for the new default-output opt-out behavior.

Approvals Inbox

  • The unified approvals endpoint now rehydrates Automation V2 list rows through
    the full run record before filtering pending gates, so a stale or skeletal run
    list entry can no longer hide a live approval gate.
  • The control-panel inbox now sorts mixed approval sources by requested time,
    putting a fresh demo approval above older ACA approvals.

Automation V2 Recovery And Portability

  • Legacy automation-v2-* context-run directories are now recovered into
    Automation V2 run history. Tandem reconstructs run records, checkpoint state,
    and automation snapshots from run_state.json, then merges the newest
    recovered record into history/detail APIs and persists it back to canonical
    run storage.
  • Recovered context runs also appear in the Automation V2 library when enough
    snapshot information is present, making interrupted or pre-migration workflow
    runs discoverable again instead of stranded in context-run storage.
  • The control panel can now export an Automation V2 JSON spec from the edit
    dialog and import that JSON through the creation wizard, including replacement
    confirmation when the imported automation id already exists.

Control Panel Connectivity

  • ACA availability probing now has a longer default grace window, so the Coder
    dashboard is less likely to flip to disconnected while a recently healthy ACA
    endpoint is slow during task selection or board refresh.
  • When ACA is configured and the Tandem engine is healthy, ACA probe timeouts
    are smoothed as degraded-but-available instead of immediately hiding Coder
    actions.

MCP Provider Guidance

  • The automated-agents guide now documents Composio Connect and scoped Composio
    MCP server URLs separately, including generated MCP URL usage, x-api-key
    requirements, and REST-only setup examples for creating and generating
    Composio MCP server URLs.

Release Metadata

  • Bumped Tandem Rust workspace, desktop, npm, and Python manifests to 0.6.1.
  • Updated the version bump script so the meta-harness crate and desktop Tauri
    lockfile are included in future release bumps.

Full Changelog: v0.6.0...v0.6.1

Tandem v0.6.0

Choose a tag to compare

@github-actions github-actions released this 17 Jun 16:48

See the assets below to download the installer for your platform.

v0.6.0 (2026-06-17)

Tandem 0.6.0 is a security- and assurance-focused release that lays the
foundation for cross-tenant data governance, governed runtime decisions, and
goal-driven capability composition. It adds eval-backed, CI-enforced proof that
tenant boundaries hold at runtime, tenant-scopes approval/audit/provider paths,
hardens MCP and memory egress, and gives operators better ACA cockpit and
feedback surfaces. The later 0.6.0 hardening work also adds an Action
Firewall eval suite, explicit memory ciphertext-at-rest modes, tenant-scoped
protected audit evidence, context-budget/provenance guardrails, EU AI Act
export evidence, repo-intelligence graph queries, runtime observability, and
the first meta-harness evaluation models for scoring workflow candidates.

Desktop Provider Setup

  • Desktop settings now has a dedicated Providers tab, so LLM provider setup is
    no longer buried in the general Settings page.
  • OpenAI Codex account auth is available from the desktop provider panel. Users
    can sign in through the browser, import an existing local Codex session,
    reconnect, or disconnect the stored Codex OAuth session.
  • Built-in desktop provider coverage now includes OpenAI Codex, OpenRouter,
    Anthropic, OpenAI, Groq, Mistral, Together, Cohere, llama.cpp, Ollama, Poe,
    Azure OpenAI-compatible, Amazon Bedrock-compatible, Vertex-compatible, and
    GitHub Copilot-compatible providers.
  • Provider/model selection is more robust: authenticated or local/keyless
    providers can persist the selected model, while unauthenticated hosted
    provider toggles no longer masquerade as configured chat models. Chat session
    creation also falls back to the enabled/default provider slot when the model
    picker has not populated an explicit value yet.
  • The engine now honors the managed OPENCODE_CONFIG path supplied by the
    desktop launcher, keeping the provider UI and sidecar registry in sync during
    local Tauri development and packaged desktop runs.
  • Session creation persistence errors now return structured details instead of
    a bare 500 Internal Server Error. Windows temp-file sync/replace handling
    retries transient Access is denied failures that can happen while saving the
    first chat session.

Enterprise Hardening Snapshot

  • The Action Firewall now has regression coverage and a demo preset for
    protected action decisions before tool execution.
  • Tenant-scoped protected audit ledger and governance evidence export surfaces
    make protected decisions traceable across policy decisions, audit records,
    tool-effect ledger entries, and run context.
  • Cross-tenant grants now have public contract/server implementation surfaces
    and positive sharing eval coverage. Ordinary tenant boundaries still fail
    closed; cross-tenant access must be represented as an explicit governed grant.
  • Default data-boundary and cross-tenant grant design docs describe how
    governed reads, inbound lookup, trust roots, and explicit sharing compose.
  • Egress DLP preflight checks outbound agent-team actions before they leave the
    runtime boundary.
  • Sensitive-path basename fallback protections were rechecked, and shared
    SSRF URL/IP validation now covers web fetch and browser navigation paths.

Evaluation Gate Assurance

  • The per-PR evaluation regression gate now fails closed when eval-runner
    cannot build or when an evaluation run crashes. Earlier CI behavior could
    emit hardcoded passing JSON for the critical-path, tenant-isolation, and
    action-firewall datasets, creating a plausible green check even when the
    runner was broken. The gate now builds eval-runner as a required step, runs
    each dataset through the binary directly, and reports missing results in the
    PR comment instead of fabricating pass rates.
  • Full workspace test coverage now runs through cargo-nextest, and an
    end-to-end tandem-engine smoke-test CLI gives release validation a direct
    runtime path rather than only unit-level proof.
  • The meta-harness work now includes prompt-injection exfiltration and
    blast-radius evaluation coverage, expanding the release's regression suite
    beyond workflow scoring into adversarial context handling.

Compliance Evidence And Exports

  • EU AI Act readiness now includes deployment-scope tracking, Article 50
    transparency badges/labels, hash-chained audit ledgers, SIEM export guidance,
    and generated-artifact provenance preservation across exports.
  • Protected-action and approval evidence now records completeness checks, so
    operators can distinguish complete, incomplete, and unsupported evidence
    packages when auditing governed runtime decisions.
  • Exported artifacts preserve generation provenance and Article 50 labels,
    keeping downstream compliance packages tied to the run and policy evidence
    that produced them.

Runtime Diagnostics And Release Safety

  • Startup config validation catches invalid or surprising runtime configuration
    before the engine proceeds, reducing silent misconfiguration during desktop,
    local, and hosted launches.
  • Runtime observability events are persisted, giving operators and debugging
    tools durable lifecycle evidence rather than relying only on transient logs.
  • Structured HTTP error codes make API failures easier to classify and recover
    from, including provider/session setup paths that previously collapsed into
    generic server errors.
  • Tandem-server panic-surface guards, async runtime hygiene checks, and
    tandem-tools path sandbox regression tests reduce release risk around server
    crashes, blocking runtime mistakes, and filesystem escape regressions.

Repo Intelligence And Workflow Graphs

  • Repo intelligence now has manifest/fact extraction, persistent store/query
    APIs, context bundle queries, exposed tools, quality regressions, metrics,
    debug export, and GraphRAG retrieval improvements.
  • Workflow and run graph foundations now support context graph storage,
    governed query envelopes, runtime planning queries, memory/rerun queries,
    failure-causality analysis, workflow impact analysis, routing hints, and
    benchmark reporting.
  • The graph and repo-intelligence crates are included in release automation so
    these new diagnostics are built and validated with the shipped workspace.

Cross-Tenant Data Governance

  • Hosted and enterprise requests now rely on signed tenant-context assertions
    as the trust primitive. Assertions are Ed25519 JWS values selected by kid,
    validated against issuer/audience, expiry, explicit deployment scope, actor
    consistency, key metadata, allowed resource-scope prefixes, and a replay
    policy (bound by default, with one_shot available for per-request
    issuers). docs/CONTEXT_ASSERTION_SECURITY.md documents configuration and
    operational guidance.
  • A dedicated tenant_isolation evaluation dataset now runs in the per-PR
    regression gate, covering must-block scenarios: cross-tenant source/secret
    access and cross-tenant memory reads must fail closed and emit audit evidence
    (CT-01).
  • The local eval-runner stub mode boots a real in-process AppState, so the
    cross-tenant evals exercise real tenant-scoped enforcement instead of
    deterministically echoed output shapes (CT-16).
  • A real-engine isolation eval proves that an automation running as tenant A
    cannot read a resource that exists only for tenant B through the runtime tool
    path (CT-02).
  • The audit read path (/audit/stream) is now tenant-scoped: it fails closed
    for explicit tenants, recognizes both nested tenantContext and flat tenant
    tags, and remains a no-op for local/single-tenant deployments. fintech and
    tool-effect audit events are now tagged with their originating tenant so they
    remain visible to their own tenant while staying isolated from others. New
    unit, HTTP-integration, and eval coverage assert that tenant B cannot read
    tenant A's audit events (CT-04).
  • Memory promotion is now tenant-scoped, preventing untrusted memory from being
    promoted across tenant boundaries. A new eval dataset proves the isolation
    (CT-03).
  • Channel interactions (Discord, Slack, Telegram) now enforce tenant routing,
    failing closed at the channel interaction audit layer when cross-tenant access
    is attempted (CT-05).
  • Knowledge retrieval now has a dedicated negative eval proving tenant B cannot
    retrieve tenant A's knowledge-base items, and skills isolation is locked by a
    regression test showing project skills resolve only from the executing
    workspace root (CT-08).
  • Provider catalog discovery and provider throttles are tenant-scoped. Explicit
    hosted tenants use only their own persisted provider auth, cannot inherit
    shared config/env/local runtime provider keys, and do not get queued behind
    another tenant's provider backoff.
  • Store-backed MCP secret headers are checked against the executing tenant
    before OAuth refresh or outbound MCP calls, returning tenant-scope denials for
    cross-tenant secret attempts.
  • Governance approval receipts now carry the issuing tenant. Cross-tenant
    approve/deny attempts fail closed without leaking receipt existence, approval
    listing is tenant-scoped, and approval audit events use the real tenant
    context (CT-09).
  • Automation spend/quota guards are keyed by tenant for explicit tenants, so
    one tenant's same-named agent cannot pause or block another tenant's run
    lifecycle (CT-10).

Memory Security Hardening

  • A memory retrieval gateway governs channel reads, applying tenant and source
    scoping before retrieved memory is used in channel responses.
  • Retrieval egress controls (TAN-102) restrict which retrieved memory and
    knowledge can leave through session knowledge-base grounding and export paths.
  • Memory crypto mode is now explicit. Local/default installs remain plaintext,
    local encrypted mode stores encryptable memory payload columns as
    AES-256-GCM ciphertext, and hosted KMS mode fails ...
Read more

Tandem v0.5.13

Choose a tag to compare

@github-actions github-actions released this 02 Jun 12:53

See the assets below to download the installer for your platform.

v0.5.13 (2026-06-02)

Tandem 0.5.13 combines the Linear-backed Coder intake work with a focused
runtime security hardening pass. The release tightens local API exposure,
workspace mutation defaults, shell execution, tenant scoping, audit/event
visibility, secret storage, and browser/provider network guardrails.

Coder Linear Intake

  • The Coder control panel can now register ACA projects backed by Linear teams
    and projects, with optional launch-status, label, and search-query filters.
  • The Coder intake board now renders both GitHub Project items and Linear
    issues through one scheduler-aware issue board, including batch launch,
    active-run detection, and direct issue links.
  • Coder overview and intake refresh messaging now reflect the selected issue
    source, including Linear MCP connection state when a Linear-backed project is
    selected.

Automations V2 Reliability

  • Automations V2 completion is now gated by terminal checkpoint integrity and
    contract-aware deliverable assertions instead of only checking for empty
    pending-node queues.
  • Required file deliverables must exist, be substantive, and pass basic shape
    checks; missing or weak deliverables requeue the owning node while repair
    attempts remain.
  • Required email delivery and generic outbound connector actions now need
    successful receipt evidence before the run can complete. Model prose alone no
    longer satisfies governed side effects.
  • Workflow graph validation now rejects dependency cycles and keeps input_refs
    aligned with readiness dependencies, including through budget compaction and
    strict sequential plans.
  • Verification failures now retry through the repair path until attempt budget
    is exhausted, and verification failure detection is scoped to verification
    output rather than unrelated artifact prose.
  • Recoverable tool execution errors are surfaced to the model for adaptation,
    while cancellation, shutdown, runtime-not-ready, and write-required
    permission failures remain loud failures.
  • Timer-triggered automations now dedupe queued/running runs the same way watch
    triggers do, preventing slow scheduled workflows from accumulating backlogs.
  • Parked-state lifecycle handling is explicit: approval gates can be marked as
    visibly stale under a manual-only policy, guardrail-stopped runs can
    auto-resume after approved quota overrides, stale reaping honors active
    run-registry heartbeats, and node execution uses idle/no-progress timeouts
    with an absolute ceiling.
  • Warning outcomes are now consistent across runtime and learning surfaces:
    accepted_with_warnings remains passable only without unmet requirements,
    but it is not counted as a clean workflow-learning validation pass and does
    not generate positive learning evidence.

Runtime Security Hardening

  • Local engine HTTP API startup now refuses unauthenticated non-loopback binds,
    and token-clearing no longer reopens the API.
  • HTTP MCP registration rejects arbitrary stdio: transports.
  • File write, edit, and patch tools now ask by default instead of silently
    mutating the workspace.
  • Batch sub-calls pass through permission and sandbox evaluation so nested tool
    calls cannot skip approval gates.
  • Workspace and write-policy checks fail closed when no workspace root can be
    resolved.
  • Shell execution uses Linux bubblewrap confinement by default, requires
    workspace context, and requires an explicit unsafe opt-out for unsandboxed
    shell execution.
  • Automation auto-approval now treats empty allowlists as deny-all and refuses
    to auto-approve shell tools.
  • Local single-tenant mode ignores caller-supplied tenant headers; hosted and
    enterprise tenant context continues to require signed assertions.
  • Run event streams, audit streams, and project listing now enforce tenant
    ownership/visibility checks.
  • API tokens, vault keys, and TUI keystores are written with owner-only Unix
    permissions, and vault passphrases replace the previous 4-digit PIN model.
  • Browser navigation fails closed without an allowlist and blocks local/private
    targets; provider base URL validation rejects unsafe remote HTTP endpoints.
  • Provider credential debug output and bug-monitor log redaction now avoid
    leaking plaintext secrets.

Compatibility Notes

  • Linux hosts that need shell execution must have bubblewrap available, or
    explicitly set TANDEM_UNSAFE_UNSANDBOXED_SHELL=1 for trusted local-only
    development.
  • Local clients should rely on the generated/shared API token rather than
    clearing token auth during development.

Full Changelog: v0.5.12...v0.5.13

Tandem v0.5.12

Choose a tag to compare

@github-actions github-actions released this 27 May 16:30

See the assets below to download the installer for your platform.

v0.5.12 (2026-05-27)

Tandem 0.5.12 hardens the hosted control-panel sign-in path and starts the
hosted organization access model inside the runtime. Hosted panel sessions now
carry Tandem-signed org-unit membership, capabilities, and policy-version
context, and automation v2 resources can be private, group-shared, or org-wide.

Hosted Panel Access

  • Hosted panel session exchange and refresh payloads now preserve org units,
    effective capabilities, and policy version from Tandem-hosted identity.
  • /api/auth/me exposes the hosted access context so the control panel can
    filter navigation and actions without treating UI hiding as enforcement.
  • The control-panel proxy now uses capabilities for hosted reads, automation
    execution, automation writes, and sharing actions before forwarding requests
    to the engine.

Runtime Resource Sharing

  • Hosted automation v2 creation stamps owner/private access metadata from the
    verified Tandem assertion instead of trusting caller-provided user fields.
  • Automation v2 list/read/run routes enforce private, group, and org visibility
    in hosted mode. Private automations remain visible to their creator and
    hosted admins.
  • Owners/admins can update automation visibility through
    POST /automations/v2/{id}/share, setting private, group, or org-wide
    access.
  • Automation mutation and repair routes now require owner/admin access for
    hosted resources, while legacy/local unscoped operation remains compatible.

Compatibility

  • Slack, Discord, and Telegram approval-gate integrations continue to call the
    runtime gate-decision path without requiring a browser hosted assertion.

Full Changelog: v0.5.11...v0.5.12