release: v0.10.0-rc12 (consolidate #593/#594/#595/#597 + review hardening)#600
Merged
Conversation
…l> as primary After a persistent inference buy publishes paid/<remote-model> in LiteLLM, the agent adopts it as its own primary chat model in-pod via native 'hermes config set model.default' (atomic write, per-request re-read, no restart, no host CLI, no new RBAC). Includes a LiteLLM /v1/models existence guard, an auto-refill safety warning, and a PyYAML fallback writer. Validated by a design+adversarial workflow and a live CLI smoke against a running obol-agent: buy --set-default flips config.yaml model.default to paid/AEON-7/... and the next agent chat settled via the x402-buyer pool (spent 0->1) with no restart; rollback verified.
# Conflicts: # internal/hermes/hermes.go
The /api OpenAPI reference is served over the public tunnel and pulls the @scalar/api-reference bundle from jsdelivr. The integrity hash was left empty in phase 1, so the browser executed whatever the CDN returned, unverified. Populate scalarBundleSRI with the sha384 of the pinned 1.34.0 bundle so a tampered CDN response is blocked. Comment updated to stress the hash must be re-derived in lockstep with every scalarBundleVersion bump.
…arning The 'paid/<model> not selectable in LiteLLM' guard ran *after* the no-auto-refill WARNING. A model that LiteLLM would refuse still printed a scary 'every chat turn fails when the pool empties' warning describing a primary-model failure mode that cannot occur when the default was never switched. Reorder so we refuse first and only warn when we are actually about to adopt the model.
…e commands spec.model.name and metadata.name flow from the ServiceOffer CR into copy-pasteable 'obol buy inference ...' commands rendered on the public 402 page. A hostile or fat-fingered offer could smuggle shell metacharacters into a command a reader might paste. Add sanitizeDisplayToken at the render boundary: CR-sourced tokens must match the model-id/k8s-name charset (^[A-Za-z0-9._:/-]+$) or collapse to the existing safe placeholder. Real ids like qwen3.5:9b and anthropic/claude-3-5-sonnet-latest pass through unchanged.
review fixes for #598: Scalar SRI pin, buy-x402 guard order, 402 token sanitization
…sell-agent facts Terse rewrite of project CLAUDE.md (42725 -> 41797 bytes) corrected against the live codebase. Preserves all invariants, the 14 pitfalls, and flag warnings; adds #597's stream:true / statusRecorder.Flush guidance and agent-backed-offer (port 8642) facts so the compressed doc loses nothing rc12 ships.
This was referenced Jun 5, 2026
OisinKyne
reviewed
Jun 5, 2026
OisinKyne
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
release/v0.10.0-rc12→main(tracking PR)This is the rc12 release branch. It consolidates four PRs on top of
mainand folds in the post-review hardening, so the branch that ships as thev0.10.0-rc12pre-release is exactly what lands onmain.Consolidated PRs
oisin/402-html-pageoisin/openapi/apireference for offered servicesfeat/buy-x402-set-default--set-default— agent self-adoptspaid/<model>as primaryoisin/streamingFlush/Hijack) to keep the tunnel aliveMerged
#593 → #595 → #597 → #594. One conflict ininternal/hermes/hermes.go(#594 predated51fd708's deployment-strategy migration), resolved net-zero vsorigin/main;go test ./internal/hermes/passes.Review hardening (folded in via #599)
The multi-agent review of the consolidated diff found no blockers; the three follow-ups (2 MED, 1 LOW) are now part of this branch:
security(x402)— SRI-pin the Scalar bundle on the public/apipage.scalarBundleSRIwas empty → the browser executed unverified CDN bytes. Populated with thesha384of the pinned@scalar/api-reference@1.34.0bundle. Re-derive on everyscalarBundleVersionbump.fix(buy-x402)— run thepaid/<model>existence guard before the no-auto-refill warning, so a model LiteLLM would refuse no longer prints a misleading "chat will brick" warning.security(x402)—sanitizeDisplayTokenat the 402 render boundary.spec.model.name/metadata.nameflow into copy-pasteableobol buy inference …commands on the public 402 page; CR tokens must match^[A-Za-z0-9._:/-]+$or collapse to a safe placeholder. Real ids (qwen3.5:9b,anthropic/claude-3-5-sonnet-latest) pass through; shell metacharacters cannot.Verification
go build ./...clean;gofmtcleanTestSanitizeDisplayToken+TestInferenceCopy_StripsShellMetacharsFromCommandDocs
docs(claude): projectCLAUDE.mdcompressed (42725 → 41797 bytes) and corrected against the live codebase; feat(agent): have sub-agents stream their responses to keep the tunnel alive #597'sstream: true/statusRecorder.Flushand agent-backed-offer (port 8642) facts folded into the terse rewrite so nothing rc12 ships is dropped. All invariants, the 14 pitfalls, and flag warnings preserved.