Releases: Dark-Alex-17/coyote
Release list
v0.7.4
v0.7.4
Two themes this release: log rolling so long-running Coyote sessions don't blow up their log files, and a batch of sandbox (coyote --sandbox) fixes that make the first-run experience actually work on macOS.
New
- Rolling log files. Coyote now rotates its log file automatically so a long-running session (or a chatty agent) can't grow the log unbounded. Nothing to configure — it just happens.
- --tail-logs survives rollovers. The tailer now follows the log across rotations and idles between reads instead of spinning, so coyote --tail-logs is finally cheap to leave running in a second pane.
Sandbox fixes
If you tried coyote --sandbox on macOS in v0.7.x, it likely (a) failed halfway through the usql install with bzip2: (stdin) is not a bzip2 file, (b) left you attached to an empty container that didn't detect your config, or (c) prompted you for a fresh vault password. All three are fixed:
- Pinned usql version in the sbx kit. The install no longer hits api.github.com to resolve "latest" (which was rate-limited on some IPs and silently wrote an HTML error page into the tarball). Bumped to a known-good release with curl -fS --retry 3.
- Config now lands at the right path. The bootstrap copy was writing to /home/agent/.config/ but the sandbox's COYOTE_CONFIG_DIR points at /home/agent/.config/coyote/, so the sandboxed Coyote never saw your host config. Fixed.
- Top-level config files are no longer silently dropped. The sbx cp recursive directory copy on macOS lost files carrying the com.apple.provenance extended attribute (Docker Desktop's tar bridge issue). Coyote now iterates top-level entries and copies each individually, which sidesteps it.
- Ownership is now correct. Both the copied config tree and the vault password file are chown -R agent:agent'd after copy, so Coyote inside the sandbox can actually read them.
- sbx create / sbx run invocation cleaned up. --name moved to the canonical first-flag position (was being ignored in some cobra parse paths), and --kit is re-passed to sbx run on reattach because sbx requires it even for existing sandboxes.
- Kit spec updated for newer sbx. Reworked the embedded spec.yaml for the sbx CLI update that requires mixins to be directories with a spec.yaml inside, not standalone files.
Docs & tooling
- Fixed URLs and misc issues in the install_coyote.sh / .ps1 scripts.
- Wiki: added a Multiple sandboxes per workspace section — you can run any number of independent sandboxes off the same directory by passing coyote --sandbox .
Upgrading
Cargo:
cargo install --locked coyote-aiHomebrew:
brew upgrade coyoteIf you already have a broken sandbox lying around from a previous attempt, blow it away before your first launch on v0.7.4:
sbx rm -f coyote coyote-coyote # or whichever names you used
coyote --sandboxAI Use Disclosure
The above release notes were created by Claude Opus 4.8 and reviewed and revised by myself, @Dark-Alex-17.
All code was first designed by myself and tested out with simple POCs. AI was used to do the implementation step-by-step with myself intervening between each step to review, sometimes write more complex code manually (because I don't trust it), and make changes and catch bugs.
All bugs that emerge as part of this release and any new code added are fully my responsibility and fully created by myself.
Every line of code written was thoroughly reviewed, tested, and devised by myself prior to any commit.
Models used:
- Claude (Opus and Sonnet)
- OpenAI (GPT 5.4)
- Ollama (Gemma4, Phi4, Qwen3, llama3.3)
- Mistral (Codestral and Devstral)
- Gemini (3.1-pro-preview)
v0.7.3
Memory Hotfix
This is a hotfix for the money system. This fix ensure the memory system is bootstrapped on REPL startup, this ensuring users don't have to type .set memory true to trigger a bootstrap of the memory functions.
v0.7.2
usql hotfix
Additional hotfix for the usql version.
v0.7.1
Sandbox Hotfix
This release is a simple hotfix for Docker Sandboxes where the mixin filenames must be spec.yaml, and --kit references must be directories. So this fix simply find all mixins, creates hashed directories for them (so there's no need to overwrite each time), and writes them to spec.yaml to apply them properly.
v0.7.0
Coyote v0.7.0
This release introduces a brand-new persistent memory system and a fully built-in sandboxing (sbx) layer powered by Docker — letting Coyote remember things across sessions and giving every run an isolated, mixin-extensible environment — alongside REPL ergonomics, diagnostic tooling, and a host of reliability improvements.
Important
📦 Reinstall the updated built-in assets
This release updates and adds several built-in assets. After upgrading, reinstall them with the .install REPL command or the coyote --install CLI flag for every asset category listed below:
coyote --install functionsOr, from within the REPL:
.install functions
Reinstalling overwrites the bundled assets with this release's versions.
✨ Highlights
🧠 Memory — persistent, configurable knowledge across sessions
Coyote now ships a first-class memory system that lets the LLM read and write durable memory tied to the global config, a workspace, a role, an agent, or a single session. Memory is a file-backed, append-only knowledge store the model can consult before answering and update as it learns.
- New memory module with persistent on-disk storage and a generated
MEMORY.mdindex that is auto-appended on every write — no more relying on the model to remember to update it. - Memory configuration is wired into the main app config, roles, sessions, and agents, with global and workspace scopes selectable independently.
- Built-in memory tools for listing, reading, writing, and updating memories, with read-only and read/write modes governed by a memory-specific system prompt that's appended whenever memory is active.
--init-memory [global|workspace]CLI flag to quickly enable and scaffold memory in either scope, plus--no-memoryto disable memory for a single invocation.- Auto-bootstrapped workspace memory when Coyote is launched inside a git repo, so workspace knowledge starts collecting automatically.
- REPL integration:
.set memorycommands to toggle memory injection and switch modes mid-conversation, and memory's global configuration is now surfaced in both--infoand.infooutput. - Example configurations and docs updated to cover the new memory settings and the
--init-memoryflag.
📦 Sandboxing — first-class, Docker-powered, mixin-extensible sandboxes
Coyote now has built-in sandboxing ("sbx") powered by Docker, giving every run an isolated environment that can be tailored per workspace via a flexible mixin system.
- New sbx-kit asset category providing the core sandbox spec, plus a mixin kit for built-in functions and MCP servers so the bundled tooling drops straight into the sandbox.
- Dynamic sbx mixin discovery: Coyote loads sbx mixins from both the user's workspace and config directories, so projects can ship their own mixins alongside their config.
- New sbx-vault-mixins asset category with first-party mixins for AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, gopass, and 1Password, so every supported secrets provider works seamlessly inside the sandbox.
--freshCLI flag for spinning up a truly bare-bones sandbox with no config bootstrapping — useful for clean-room experimentation.- The
.infoand--infooutputs now include the active sbx directories, so it's obvious what's mounted and where. - Cross-platform path handling: Windows-based local vault password file locations now resolve correctly and are bootstrapped into the sandbox when possible, and user-prefixed Mac and Linux paths for the vault password file are auto-translated when running inside a sandbox.
🛠️ REPL, diagnostics & reliability
- Direct shell execution from the REPL — run shell commands inline without leaving the session.
- New
.info toolsdiagnostic subcommand to make it easy to see exactly which tools are enabled in every context (global, role, agent, session). - Additional
.infooutput for enabled skills and sbx directories. .skillscommand completion migrated to useStateFlags, with updated help messages.- Tool scope is now rebuilt after dynamically updating
skills_enabledin the REPL, so toggling skills mid-session takes effect immediately. - Tool stdout is now buffered alongside stderr, so any tool that writes errors to stdout has them captured and returned to the model — giving the LLM the context it needs to reason about and recover from failures.
- Improved
fs_patchscript description and error handling, making patch failures legible and recoverable. - Explicit guardrail handling for pending agents, preventing them from being invoked in inconsistent states.
- New Claude Fable 5 entry in
models.yaml, withrequire_max_tokenscorrectly set. - Non-streaming Claude requests now use
rawPredictfor correctness. - Pinned
aws-smithy-typesandtimeto work around the upstreamaws-smithy-typesrelease breakage.
🐛 Notable fixes
- Auto-bootstrapped memory was incorrectly writing
MEMORY.mdto the repo root instead of.coyote/memory/MEMORY.md. .vault listno longer attempts to autocomplete past the end of the command.- Sandbox: Windows local vault password file paths are now resolved and bootstrapped into the sandbox when possible, and user-prefixed Mac/Linux paths are auto-translated.
auto_continue=falseno longer leaves stale todo functions in the active function list.- Linter complaints in the paths module cleaned up.
AI Use Disclosure
The above release notes were created by Claude Opus 4.8 and reviewed and revised by myself, @Dark-Alex-17.
All code (the new memory system, the sbx sandboxing layer and its mixin kit, the vault mixin specs, REPL diagnostics, and built-in tool fixes) was first designed by myself and tested out with simple POCs. AI was used to do the implementation step-by-step with myself intervening between each step to review, sometimes write more complex code manually (because I don't trust it), and make changes and catch bugs.
All bugs that emerge as part of this release and any new code added are fully my responsibility and fully created by myself.
Every line of code written was thoroughly reviewed, tested, and devised by myself prior to any commit.
Models used:
- Claude (Opus and Sonnet)
- OpenAI (GPT 5.4)
- Ollama (Gemma4, Phi4, Qwen3, llama3.3)
- Mistral (Codestral and Devstral)
- Gemini (3.1-pro-preview)
v0.6.0
Coyote v0.6.0
This release introduces a brand-new Skills system and a fully generalized secrets / vault backend that supports remote secret providers (AWS, GCP, Azure, gopass, 1Password) in addition to the local vault — alongside a host of agent, graph, and reliability improvements.
Important
⚠️ Before you upgrade: migrate your vault (ignore if you've already done this in v0.2.0 or later)
This release ships a newer version of gman (0.4.1 → 0.5.0) that no longer supports the previous cryptographically-insecure local vault encryption mechanism. gman 0.4.1 added temporary migration logic to allow users to still decrypt their old vaults using the previous encryption mechanism, but gman 0.5.0 removes that old logic and exclusively uses the more cryptographically-secure implementation.
This means that any local vaults that have not been migrated will no longer work after upgrading.
If you have not already migrated, you must do so before upgrading. Migration means:
- Dump your secrets out of Coyote,
- Upgrade to the latest version,
- Add all of your local secrets back so they use the new encryption status.
Full, step-by-step migration instructions are in the v0.2.0 release notes. If you have not migrated yet, follow those instructions first, then come back and upgrade.
Important
📦 Reinstall the updated built-in assets
This release updates and modifies several built-in assets. After upgrading, reinstall them with the .install REPL command or the coyote --install CLI flag for every asset category:
coyote --install agents
coyote --install macros
coyote --install skills
coyote --install functions
coyote --install mcp_configOr, from within the REPL:
.install agents
.install macros
.install skills
.install functions
.install mcp_config
Reinstalling overwrites the bundled assets with this release's versions. The skills category is new in this release, and the mcp_config, agents, macros, and functions assets have all been updated.
✨ Highlights
🧠 Skills — modular, loadable knowledge & capability packs
Skills are modular knowledge or capability packs the LLM can load and unload mid-conversation, dynamically bringing their instructions, tools, and MCP servers into scope only when needed. They persist to disk like agents, are name-validated everywhere, and ship with a set of built-ins.
- New skill registry and skill module, with skills persisted to disk (like agents) rather than held in-memory (like built-in roles).
- Skills policy that tracks the available skills per context, with
visible_skills(the universe of allowable skills) andenabled_skills(the default-available set) configurable globally and per role/agent/session/LLM node. - Built-in functions for listing, loading, and unloading skills, with dynamic loading/unloading of a skill's tools and MCP servers whenever
load_skill/unload_skillis invoked. - A set of auto built-in skills:
ai-slop-remover,code-review,delegation-protocol,frontend-ui-ux,git-master,oracle-protocol,parallel-research, andverification-gates. --skillCLI flag (repeatable) to start the REPL or a CLI run with one or more skills pre-loaded.- REPL integration:
.edit skill <name>support,setcommands for toggling skills and changing which skills are enabled, andskills_diradded to Coyote'sinfooutput. auto_unloadskills that release their scope automatically during chat.- Skill hint injection: an optional, configurable prompt hint (
inject_skill_instructions/skill_instructions) that points the model atskill__listwhenever skills are enabled in the current context. - LLM graph nodes now support skills, and the Sisyphus agent family was refactored to use the skills system for improved performance and reliability — including delegating significant code changes to the code-reviewer agent (a "reflexion"-style pass).
enabled_skillsaccepts both YAML list and comma-separated string formats.- Skills require
function_calling_support: trueto function.
🔐 Generalized secrets / vault providers
Coyote's vault logic was refactored to be generic over a SupportedProvider, so you can store and resolve {{SECRET}} templates against a variety of backends — not just the local encrypted vault.
- Generalized
gmanusage to work with multiple vault providers via theSupportedProviderenum directly in configuration. - Supported providers: Local, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, gopass, and 1Password.
- New first-time-run wizard for choosing and configuring a secrets provider.
- Round-trip validation for vault providers to verify permissions and authentication up front (with provider-specific guidance, e.g.
aws sso login/aws configurefor AWS). - Shorthand: setting
vault_password_file(or nothing at all) selects the localgmanprovider; settingsecrets_providerexplicitly takes precedence. - Config secrets stored in remote vaults are now usable during config interpolation, because the secrets-provider configuration is cloned when bootstrapping the app config.
- Upgraded to gman 0.5.0 (see the migration note above).
🛠️ Tooling, agents & reliability
fs_grepnow works with both files and directories.execute_commandno longer mangles heredocs; the coder and Sisyphus agents are now explicitly instructed to preferfs_write/fs_patchoverexecute_commandfor writing files.- Improved explore agent and improved code-reviewer agents (now skills-aware).
- Fallthrough on missing secrets during
mcp.jsonmerging. - Upgraded to the latest version of
mcp-remote. enabled_toolsandenabled_mcp_serversnow accept both CSV and YAML-list formats.
🐛 Notable fixes
- Fixed a greedy secrets regex that caused multiple secrets on a single line to fail, and stopped interpolating a line when any error occurs.
- Azure Key Vault: handle the fact that Azure doesn't support underscores in key-vault secret names; vault round-trip tests now use characters supported by all major providers.
init_barenow loads only the provisionedsecret_providerfrom the config without interpolating the rest of the file, failing only when no config exists (i.e. a genuine first run).- Hardened skill handling: path/name validation everywhere (including
has_skillandlist_skills) to prevent side-channel attacks, fixed a privilege leak when unloading skills left tool scope untouched, fixed tool filtering for skills and user functions in agents, and correctedeffective_policyoverwriting skill values for role-like structs. - Redirect guard
stderrinto the user's/dev/tty; set-euo pipefailfor the temporaryexecute_command.shscript. - Disabled skills for specific built-in roles where they don't apply.
AI Use Disclosure
The above release notes were created by Claude Opus 4.8 and reviewed and revised by myself, @Dark-Alex-17.
All code (the gman refactor, the new skills system, agent and skill rewrites, built-in tool fixes) was
first designed by myself and tested out with simple POCs. AI was used to do the implementation step-by-step with myself
intervening between each step to review, sometimes write more complex code manually (because I don't trust it), and make
changes and catch bugs.
All bugs that emerge as part of this release and any new code added are fully my responsibility
and fully created by myself.
Every line of code written was thoroughly reviewed, tested, and devised by myself prior to any commit.
Models used:
- Claude (Opus and Sonnet)
- OpenAI (GPT 5.4)
- Ollama (Gemma4, Phi4, Qwen3, llama3.3)
- Mistral (Codestral and Devstral)
- Gemini (3.1-pro-preview)
v0.5.0
By popular demand, Loki is now Coyote!
I originally named Loki "Loki" because it was kind of a joke that if you leave an LLM unsupervised for too long, they tend to create a bit of mischief. Unfortunately, that name also already exists with an incredibly popular logging system for Grafana. So, upon release of the last version of Loki, I asked the community for a better name and @erichury suggested the name "Coyote".
That suggestion received overwhelming positive feedback and I like the name, so Loki is now Coyote! Thank you @erichury for the suggestion!
A little added tidbit about the name: Coyote is also the trickster spirit in a lot of Native American mythologies. Another reason I like the name is because of this added meaning. The whole point of Coyote is to make LLMs more reliable so they can be used for scripting, cron, fuzzy problem solving, etc., and when they're wrong, they're always confidently wrong so they trick you easily if they say what you want to hear.
Migration for existing Loki users
I've written the following scripts for existing Loki users to migrate to the new Coyote binary without losing configurations, personalizations, etc. Be sure to install the new Coyote binary first but don't run it until you run the following scripts!
Mac/Linux
#!/usr/bin/env bash
OS="$(uname -s)"
echo "Renaming loki vault file"
vault_file=$(loki --info | grep vault_password_file | awk '{print $2;}')
vault_dir=$(dirname $vault_file)
mv "$vault_file" "${vault_dir}/.coyote_password"
echo "Migrating configuration directory"
config_file=$(loki --info | grep config_file | awk '{print $2}')
config_dir=$(dirname $config_file)
base_config_dir=$(dirname $config_dir)
new_config_dir="${base_config_dir}/coyote"
mv "$config_dir" "$new_config_dir"
echo "Migrating cache directory"
log_file=$(loki --info | grep log_path | awk '{print $2}')
cache_dir=$(dirname $log_file)
base_cache_dir=$(dirname $cache_dir)
new_cache_dir="${base_cache_dir}/coyote"
mv "$cache_dir" "$new_cache_dir"
echo "Rename loki-specific files"
functions_dir=$(loki --info | grep functions_dir | awk '{print $2}')
mv "${functions_dir}/tools/web_search_loki.sh" "${functions_dir}/tools/web_search_coyote.sh"
echo "Updating Loki environment variable names"
if [[ "$OS" == "darwin" ]]; then
find "$new_config_dir" -type f -exec sed -i '' 's/LOKI/COYOTE/g' {} +
else
find "$new_config_dir" -type f -exec sed -i 's/LOKI/COYOTE/g' {} +
fi
echo "Updating built-in tools"
coyote --install functionsWindows/Mac/Linux
#!/usr/bin/env pwsh
# Cross-platform (Linux / macOS / Windows) loki -> coyote migration.
# Requires PowerShell 7+.
$ErrorActionPreference = 'Stop'
function Get-LokiInfoValue {
param([Parameter(Mandatory)][string]$Key)
$line = loki --info |
Where-Object { $_ -match [regex]::Escape($Key) } |
Select-Object -First 1
if (-not $line) {
throw "Could not find '$Key' in 'loki --info' output"
}
$fields = ($line.Trim() -split '\s+')
return $fields[1]
}
Write-Host "Renaming loki vault file"
$vault_file = Get-LokiInfoValue 'vault_password_file'
$vault_dir = Split-Path -Parent $vault_file
Move-Item -LiteralPath $vault_file -Destination (Join-Path $vault_dir '.coyote_password')
Write-Host "Migrating configuration directory"
$config_file = Get-LokiInfoValue 'config_file'
$config_dir = Split-Path -Parent $config_file
$base_config_dir = Split-Path -Parent $config_dir
$new_config_dir = Join-Path $base_config_dir 'coyote'
Move-Item -LiteralPath $config_dir -Destination $new_config_dir
Write-Host "Migrating cache directory"
$log_file = Get-LokiInfoValue 'log_path'
$cache_dir = Split-Path -Parent $log_file
$base_cache_dir = Split-Path -Parent $cache_dir
$new_cache_dir = Join-Path $base_cache_dir 'coyote'
Move-Item -LiteralPath $cache_dir -Destination $new_cache_dir
Write-Host "Rename loki-specific files"
$functions_dir = Get-LokiInfoValue 'functions_dir'
$tools_dir = Join-Path $functions_dir 'tools'
Get-ChildItem -LiteralPath $tools_dir -Filter 'web_search_loki.*' -File | ForEach-Object {
$newName = $_.Name -creplace 'loki', 'coyote'
Rename-Item -LiteralPath $_.FullName -NewName $newName
}
Write-Host "Updating Loki environment variable names"
Get-ChildItem -LiteralPath $new_config_dir -Recurse -File | ForEach-Object {
$content = Get-Content -LiteralPath $_.FullName -Raw
if ($null -ne $content -and $content -cmatch 'LOKI') {
$updated = $content -creplace 'LOKI', 'COYOTE'
Set-Content -LiteralPath $_.FullName -Value $updated -NoNewline
}
}
Write-Host "Updating built-in tools"
coyote --install functionsBug Fixes
Aside from the rename, a couple of bug fixes did make it into this release:
- Claude changed their OAuth mechanism again and thus I figured out the correct headers that they use this time to get it to work without needing a proxy like Meridian.
- A bug was accidentally introduced with the new graph system: In very specific circumstances with normal agents, tool-based guards or inputs or user feedback mechanisms (specifically those born of the scripts, not the binary) would get skipped, or simply stall execution. This has since been fixed.
v0.4.0
This one's big. This one brings all of the new features! (and refactorings (and bug fixes))
This release ships
- A new declarative graph-based agent system
- The ability to install configuration bundles from any git repository
- In-place self-update
- TypeScript tool support
- Full HTTP/SSE MCP transports
- And a long-overdue split of the monolithic
Configstruct.
⚠️ Breaking Changes
MCP Configurations Now Require a type Field
MCP server entries now declare their transport type explicitly. Existing configs that omit it will fail to load.
Old:
{
"mcpServers": {
"my-server": {
"command": "uvx",
"args": ["mcp-server-foo"]
}
}
}New:
{
"mcpServers": {
"my-server": {
"type": "stdio",
"command": "uvx",
"args": ["mcp-server-foo"]
}
}
}One-liner migration
Adds "type": "stdio" to every existing MCP server in your mcp.json (idempotent; skips entries that already have a type):
F=$(loki --info | grep -i functions_dir | awk '{print $2 "/mcp.json";}') && jq '.mcpServers |= with_entries(.value |= (if has("type") then . else . + {type: "stdio"} end))' "$F" > "$F.tmp" && mv "$F.tmp" "$F"New Features
Graph-Based Agents
A new declarative, YAML-driven agent system where an agent is defined as a directed graph of typed nodes.
- Node types: LLM, native agent, script, RAG, approval, user-input, and Map (fan-out / parallel branches)
- Frontier-based scheduler for parallel super-step execution
- State management with per-super-step staging area and built-in reducers
- Graph validation at load time — catches read/write conflicts, dependency cycles, and invalid map chaining before execution
- Structured output extraction for LLM and agent nodes
- Structured logging for graph execution
- Approval nodes support an
on_otherfallback for free-text alternatives when none of the predefined options match - Agent variables with the same env-var flexibility as normal tool calls
- Branch progress tracker and a
RenderModeenum to keep sub-agent stdout from clobbering during parallel execution - LLM-node failure propagation up the graph
- Unified config: a single file defines an agent as either a normal agent or a graph agent
- Ships with two example graph agents:
deep-researchand a rebuilt graph-basedcoder - See
graph.example.yamland the Graph Agents Wiki page for the full spec
Remote Asset Installation (.install remote)
Install bundles of agents, roles, macros, tools, and MCP servers from any git repository.
- Writes assets to disk with interactive category selection
- MCP config merging when installing remote bundles
- Interactive secret prompting when a remote MCP config references secrets Loki doesn't have
- REPL tab completion for
.install remote
Self-Update
loki .update(from the REPL) andloki --update(from the CLI) update Loki in place
New REPL Commands
.install— install bundled assets on demand.edit— open the MCP config file in your editor
TypeScript Tool Support
- First-class TypeScript custom tools via a refactored
ScriptedLanguagetrait - Demo TypeScript tool and a
get_current_weatherexample - The Python demo tool was expanded to showcase all parameter types and variations
MCP Server Transport Types
- Full HTTP/SSE transport support in MCP configs — Loki now accepts Claude Code-compatible MCP configurations
- Legacy SSE transport retained
- Native-TLS support via an upgraded
rmcp
Improvements
- More comprehensive first-run default config so new users are productive immediately
- Auto-continue support extended to all contexts (not just sessions)
- Dynamic tab completions now scope sessions per agent instead of dumping global sessions
- Python tools now parse via tree-sitter queries instead of AST walking; shared parser module across languages
- Automatic runtime customization via shebangs for scripted tools
- Replaced the
jira-helperagent with the more generalatlassianrole - Documentation migrated from in-repo to the GitHub Wiki
Refactors
- Removed the monolithic
Configstruct, splitting it intoAppConfig,AppState, andRequestContext - LLM graph nodes refactored to use Roles so they behave like inline roles
next_nodeandapply_state_updatesconsolidated intoLlmExecutor- Common Python parser logic extracted into a shared module
Bug Fixes
- LLM node
next_singlebug and improved outcome handling - Inline RAG bug when globbing files by extension without subdirectory globs
RagCachenot being threaded through to agent / sub-agent instantiationagent__collectfreezing on sub-agent escalations- Crash when switching to an agent while a session was active
- MCP servers being re-started on role switch when a session was already active
- Todo instructions being appended even when function calling was disabled
- Panic on empty message list during regenerate
estimate_token_lengthnow uses the standard word-count method- Crate name (
loki-ai) vs. binary name (loki) mismatch breaking dynamic completions - PollSender lock bug in SSE transport
- TypeScript function args being passed as objects instead of as direct parameters
- Various Windows fixes (function calling, binary path shadowing, generalized executable-bit script detection)
- Merged the required Claude Code system prompt into instructions
- Argc argument passing in
run-tool/run-agentscripts
Testing
Substantial test expansion across the codebase:
- Integration tests for the parallel frontier-based graph scheduler
- Integration tests for sub-agent spawning and inter-agent communication
- Integration tests for cross-feature interactions (RAG + agents, function calling/MCP, etc.)
- Unit tests for RAG, completions/prompt, macros, vault, and functions/tool usage
- REPL command + CLI flag tests,
request_contexttests, input tests - Tool-call dispatch/tracking and MCP server lifecycle tests
Build / Chore
- Rust upgraded to 1.95.0
- Dependencies updated to latest (
reqwest,crossterm,reedline,rand, etc.); unused deps removed - Removed the deprecated Claude Haiku 3.5 model
- Updated
models.yaml
AI Use Disclosure
The above release notes were created by Claude Opus 4.7 and reviewed and revised by myself, @Dark-Alex-17.
All code (the graph system, the refactored configuration structure, the new self-update and configuration sharing system, etc.) was
first designed by myself and tested out with simple POCs. AI was used to do the implementation step-by-step with myself
intervening between each step to review, sometimes write more complex code manually (because I don't trust it), and make
changes and catch bugs.
All bugs that emerge as part of this release and any new code added are fully my responsibility
and fully created by myself.
Every line of code written was thoroughly reviewed, tested, and devised by myself prior to any commit.
Models used:
- Claude (Opus, Sonnet, and Haiku)
- OpenAI (GPT 5.2, 4o, o4-mini)
- Ollama (Gemma4, Phi4, Qwen3, llama3.3)
- Mistral (Codestral and Devstral)
- Gemini (3.0-pro-preview and 3.1-pro-preview)
v0.3.0
Complex Agent Orchestration and Parallelization Support is Here!
Highlights
Built-In Sub-Agent Spawning & Parallelization
Loki agents can now spawn and manage child agents that run in parallel as background tasks inside the same process. This enables orchestrator-style agents that delegate specialized work, with a full lifecycle of tools: agent__spawn, agent__check, agent__collect, agent__list, and agent__cancel.
- Built-in sub-agent spawning system with configurable
can_spawn_agents,max_concurrent_agents, andmax_agent_depthsafeguards - Dependency-aware task queue: (
agent__task_create,agent__task_complete,agent__task_fail,agent__task_list) with automatic agent dispatch when tasks become unblocked - Teammate messaging between parallel sub-agents: Sibling agents can communicate directly via
agent__send_messageandagent__check_inbox, enabling real-time collaboration (e.g., sharing cross-cutting findings during parallel code review) - User interaction escalation: Sub-agents at any depth can escalate
user__*prompts up to the root agent, with configurableescalation_timeout - Output summarization for child agents using a configurable
summarization_modelandsummarization_thresholdto keep parent context windows manageable - Auto-injection of spawning instructions into agent prompts via
inject_spawn_instructions
Claude OAuth & Gemini OAuth
Loki now supports OAuth 2.0 PKCE authentication as an alternative to API keys, letting you use your existing Claude Pro/Max or Google Gemini subscriptions directly.
- Claude OAuth: Authenticate via browser-based OAuth flow with manual authorization code paste-back
- Gemini OAuth: Authenticate via automatic localhost loopback callback
- Authenticate from the CLI (
loki --authenticate <client>) or from within the REPL (.authenticate) - First-run setup now offers OAuth as an option for supported providers
- OAuth tokens are stored in
~/.cache/loki/oauthand refreshed automatically
Gemini OAuth Note: Because Loki uses the sensitive generative-language.retriever scope and is an open-source CLI without a formal privacy policy, Google cannot verify the app. During the OAuth flow, you'll see a warning page. Click Advanced → Go to Loki (unsafe) to continue.
CodeRabbit-Style Code Reviewer
A new code-reviewer agent that uses the teammate messaging pattern with parallel sub-agents to perform structured code reviews, similar to CodeRabbit.
- Spawns per-file
file-reviewersub-agents that run in parallel - File reviewers share cross-cutting findings with each other via teammate messaging, so discoveries in one file inform reviews of related files
- New
file-revieweragent designed for single-file review, used by thecode-reviewerorchestrator
Upgraded Sisyphus Agent
The Sisyphus orchestrator agent has been significantly upgraded to leverage the new parallelization system:
- Now uses the built-in sub-agent spawning system to delegate to
explore,coder, andoracleagents in parallel - Integrated DuckDuckGo web search MCP server for answering user queries
- Improved token efficiency when delegating to the coder agent
- Uses built-in user interaction tools instead of custom bash-based tools
- Explicit delegation to the coder agent for any code-writing tasks
Feat
- Built-in user interaction tools (
user__ask,user__confirm,user__input,user__checkbox). Always-available tools for agents to interactively prompt users, with themed rendering and escalation support for sub-agents - DuckDuckGo search MCP server: Added as a built-in MCP server for web search capabilities alongside existing tools
- Web search support added to the
sisyphus,explore, andoracleagents todo__clearfunction and.clear todoREPL command for resetting the todo list when agent direction changes significantly- Themed inquire prompts in the REPL with custom theme support
- Custom response option for multiple-choice prompts when none of the options suit the user's needs
- Configurable
escalation_timeoutfor sub-agent user input (defaults to 5 minutes) - Improved MCP server lifecycle management — modifies existing config in-place rather than stopping and re-initializing all servers on context switches
- Available tools now surfaced in prompts for sisyphus, coder, and code-reviewer agent families
- Added GPT-5.2, Claude 4.6, and Gemini 3.1 Pro Preview to supported models
Fix
- Do not inject tools when models don't support function calling; conflict detected before API calls happen
- Fixed Claude code system prompt injection to produce valid requests
- Secrets injection regex no longer greedily matches across newlines, fixing MCP server secret interpolation
- Secrets injection now skips commented-out lines in YAML configs
- Sub-agent stdout/stderr output improved for user visibility
- Orphaned sub-agents cleaned up when parent agent exits
- Agent delegation tools correctly passed into
{{__tools__}}placeholder - Path normalization fix for oracle and explore agents
- Coder agent no longer creates absolute paths from the current directory
- Coder agent now outputs a summary so the parent Sisyphus agent knows the outcome
- REPL
.authenticatecommand works from within sessions, agents, and roles with pre-configured models - Agent variables correctly injected into environment variables for global tool calls
- Removed
top_pparameter from some agents for cross-provider compatibility - Fixed supervisor and todo built-in errors with OpenAI models
- Recursion bug with similarly named Bash search functions in the explore agent
- Updated Atlassian MCP server endpoint to account for future deprecation
Refactor
- OAuth module made generic to support both loopback and manual OAuth flows
- Default Sisyphus session name changed to
tempto require explicit naming for saved sessions - Removed deprecated agent functions from
.shared/utils.sh
Docs
- Comprehensive documentation for the sub-agent spawning system, teammate messaging, user interaction tools, and escalation
- CodeRabbit-style code reviewer and file-reviewer agent documentation
- Gemini OAuth documentation with unverified app walkthrough
- Authorship policy and PR template requiring disclosure of AI assistance
- Updated MCP server docs for DuckDuckGo search
Build
- Upgraded to the most recent version of the
inquireandrmcpcrates
AI Disclosure
Claude was used to assist with the implementation of the OAuth flows for both Claude and Gemini, and to help diagnose issues with the sub-agent spawning system. All AI-generated code was thoroughly reviewed and tested by myself before being committed. This changelog was drafted with the assistance of Claude, then revised and edited by myself.
v0.2.0
Highlights
This release is a major step forward for Loki, introducing a coordinated multi-agent system, a built-in task tracking framework, intelligent error recovery for tool invocations, and several new file exploration tools. It also includes a breaking dependency upgrade to G-Man that requires vault migration.
⚠️ BREAKING CHANGES — Please Read Before Upgrading!
Vault Migration Required (G-Man v0.3.0 Upgrade)
Loki now depends on G-Man v0.3.0, which contains a critical security fix for local vault encryption. In previous versions, the encryption key was being zeroized before it was used, meaning local vault secrets were effectively encrypted with an all-zeros key.
You must migrate your existing vault before upgrading Loki. The migration process is:
- Before upgrading Loki, dump all your existing secrets from the vault:
loki --list-secrets # Record/export all secret values you need to preserve - Upgrade Loki to v0.2.0.
- Re-insert your secrets into the new vault:
loki --set-secret <name> <value>
Note: If you use a cloud secret provider (AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager), your secrets were always handled by those platforms' own encryption and are unaffected. This only impacts the local vault provider.
✨ New Features
🏗️ Sisyphus Agent System
Loki now ships with a coordinated multi-agent system inspired by OpenCode, designed to make Loki function like Claude Code, Gemini CLI, Codex, or similar AI coding assistants.
- Sisyphus — The main coordinator agent. Acts as the primary entry point for complex coding tasks, managing multi-step workflows and delegating to specialized sub-agents.
- Oracle — A high-level architecture and design consultant. Handles complex debugging, tradeoff analysis, code review, and deep reasoning for ambiguous problems. Designed to be delegated to by Sisyphus when expert analysis is needed.
- Explore — A codebase exploration specialist. Performs deep pattern matching, file system navigation, and context gathering. Read-only by design for safe investigation.
- Coder — Updated to be more task-focused and work as a delegate of Sisyphus for direct implementation and file modifications.
📋 Built-in Task Tracking System (Todo System)
A new built-in task management system helps LLMs — especially smaller models — complete larger, multistep tasks without losing context.
- Four built-in tools:
todo__init,todo__add,todo__done, andtodo__listgive agents structured task planning and tracking capabilities. - Auto-Continuation: When enabled, Loki automatically prompts the model to continue working when incomplete tasks remain. The current todo state is injected into each continuation prompt, keeping the model focused on remaining work.
- Configurable per agent: Control
auto_continue,max_auto_continues,inject_todo_instructions, andcontinuation_promptin each agent'sconfig.yaml. - Loop detection: The system detects when a model's continuation response is identical to its previous response and stops automatically to prevent infinite loops.
See the Todo System Guide for full documentation.
🔄 Tool Invocation Error Recovery
Tool and MCP server invocations that error out no longer terminate execution. Instead:
- Stderr is returned to the model when available, giving the LLM full visibility into what went wrong.
- Automatic retry logic allows the model to learn from the error and try the invocation again, up to a configurable number of attempts.
- Loop detection prevents the model from getting stuck in a cycle — both for individual repeated tool invocations and for chains of tool calls that repeat the same pattern.
🔍 New File Exploration Tools
Three new global tools provide more targeted, token-efficient file exploration:
fs_read— Controlled file reading with line-range support, reducing token usage compared tofs_catfor large files.fs_grep— Search a file's contents for relevant lines, returning only matching context instead of the full file.fs_glob— Pattern-based file discovery for targeted exploration of project structures.
🤖 Model Support
- Gemini 3 Pro added to supported Vertex AI models.
- Claude Opus 4.5 build support added.
- Gemini 3+ thought signatures are now supported.
📚 RAG Source References
RAG search results now include source attribution, so the model can cite which files or URLs its answers came from.
__SOURCES__placeholder: A new optional template variable that expands to a list of source file paths and URLs used to retrieve context. Use it in yourrag_templatealongside__CONTEXT__and__INPUT__.- Per-chunk source annotation: Each chunk in
__CONTEXT__is now prefixed with a[Source: <path>]header, letting the model attribute specific information to specific documents. - Default template updated: The built-in RAG template now includes a
<sources>section and instructs the model to cite sources when answering.
🔧 Agent Enhancements
- Variable interpolation in conversation starters: Agent conversation starters now support the same
{{variable}}interpolation syntax as instructions. - Agent-level guard bypass variables: Agent variables can now be defined to bypass guard protections for tool invocations, enabling more flexible agent routing.
- Environment variable guard bypass: A new environment variable (
AUTO_CONFIRM) lets users bypass guard operations in bash scripts, useful for agent routing workflows. - Jira Helper upgrade: Now uses the official Atlassian MCP server instead of the custom CLI-based tooling.
🐛 Bug Fixes
- Claude tool calls with no arguments: Fixed an issue where Claude would provide an empty JSON object or error when a tool required no arguments or flags.
- Agent variable passthrough: Fixed a bug where
--agent-variablevalues were not being passed to agents correctly. - Auto-continuation after compression: Fixed auto-continuation to work correctly in agents after a session is compressed, provided there are still unfinished todo items.
- Continuation prompt quality: Improved the continuation prompt to discourage the model from creating overly broad todo items.
- Tool output redirection:
fs_lsandfs_catoutputs now always redirect to$LLM_OUTPUT, including on errors. - Tool call error message typos: Fixed several typos in tool call error messages.
📖 Documentation
- Todo System Guide: Comprehensive new documentation covering configuration, usage, best practices, and troubleshooting for the todo system.
- Agent documentation: Updated to cover the new Sisyphus, Oracle, and Explore agents.
- Tools documentation: Updated to document the new
fs_read,fs_grep, andfs_globtools. - CREDITS file: Created a
CREDITS.mdfile documenting Loki's history and origins from the original AIChat project. - Default configuration example: Updated to include the new global functions and agent configurations.
🏗️ Build & Infrastructure
- G-Man v0.3.0: Upgraded to address local vault encryption vulnerabilities (see Breaking Changes above).
- Justfile: Added a
justfileto streamline common development tasks. - Claude Opus 4.5: Added build support.
🎨 Style
- Cleaned up an
anyhowerror message for consistency.
📋 Full Changelog
| Type | Description | Commit |
|---|---|---|
| feat | Created the Sisyphus agent (coordinator for Coder, Explore, Oracle) | 6abe2c5 |
| feat | Created the Oracle agent for architecture and design decisions | 03cfd59 |
| feat | Created the Explore agent for codebase exploration | 3779b94 |
| feat | Updated the Coder agent for task-focused delegation by Sisyphus | 4d7d5e5 |
| feat | Built-in task management system (Todo System) | a935add |
| feat | Tool invocation retry logic and chain loop detection | d5e0728 |
| feat | Tool/MCP error handling — stderr returned to model | 8a37a88 |
| feat | Created fs_read tool |
d4e0d48 |
| feat | Created fs_grep tool |
c7a2ec0 |
| feat | Created fs_glob tool |
486001e |
| feat | Agent-level variable guard bypass | 07f23ba |
| feat | Variable interpolation for conversation starters | 8f66cac |
| feat | Environment variable for guard bypass in bash scripts | 66801b5 |
| feat | Gemini 3 Pro support (Vertex AI) | f56ed7d |
| feat | Gemini 3+ thought signatures | 2eba530 |
| feat | RAG source references — __SOURCES__ placeholder and per-chunk source attribution |
|
| feat | Official Atlassian MCP server for Jira Helper | 621c904 |
| build | Upgraded G-Man to v0.3.0 (BREAKING — vault migration required) | 0a40ddd |
| build | Claude Opus 4.5 support | 5cb8070 |
| build | Created justfile | cdd8291 |
| fix | Claude tool calls with empty/no arguments | 25c0885 |
| fix | Agent variable passthrough | f2de196 |
| fix | Auto-continuation after session compression | 70c2d41 |
| fix | Improved continuation prompt quality | b11797e |
| fix | fs_ls/fs_cat output redirection on errors |
f82c9af |
| fix | Tool call error message typos | d79e4b9 |
| docs | Todo System documentation | d2e541c |
| docs | Agent documentation updates (Sisyphus, Oracle, Explore) | 4cfaa2d |
| docs | Tools documentation (fs_read, fs_grep, fs_glo... |