v0.86.4

v0.86.4 — Security AST, _safe_call, README overhaul, Evolution fixes

Security (Item 5 — Reddit Refactor)

• Python AST Guard: Detects getattr/setattr bypass, chr() concat, __import__, exec/eval, dunder escape (40 tests)
• Shell AST Guard: bashlex parsing with regex fallback, 60+ blocked commands, substitution/chaining detection (48 tests)
• Gatekeeper: AST Layer 1 + Regex Layer 2 dual-defense for both Python and Shell

Observability (Item 3 — Reddit Refactor)

• _safe_call: All 22 subsystem inits in advanced.py tracked with failure registry
• Health endpoint: Shows degraded status + failed subsystem names
• 11 unit tests for safe_call module

README Accuracy (Item 2 — Reddit Refactor)

• Live CI + PyPI badges replace static ones
• Sandbox claims corrected (platform-adaptive, not "4-level")
• Tool count 120+, installation extras documented
• Development Status downgraded to Beta

Evolution Engine

• LLM-generated search queries instead of static templates
• search_and_read instead of web_search for source discovery
• Coverage thresholds increased, proportional scoring (1% granularity)
• Back-to-back cycles (5s pause instead of 5min cooldown)
• Journal API endpoint, Evolution config page in Flutter UI
• Learning goals persist across config saves

Reddit Lead Hunter

• Hard routing bypasses Planner for reddit_scan
• Product parameter added to reddit_scan
• LLM scoring uses qwen3:32b (was missing model parameter)

Kanban

• pending_review status for human-in-the-loop
• Scheduled tasks panel with cron job toggle
• Drag-and-drop reorder within columns

Fixes

• Bootstrap PEP 563 annotation resolution
• Config save: social/kanban/vault sections now editable
• ModelsConfig field names corrected
• DB corruption from force-kills handled
• Auto-upgrade syncs code + UI + procedures

Full Changelog: v0.86.3...v0.86.4