Skip to content

Tandem v0.5.10

Choose a tag to compare

View all tags
@github-actions github-actions released this 25 May 17:55
· 170 commits to main since this release
v0.5.10
bc49ff6

See the assets below to download the installer for your platform.

v0.5.10 (Unreleased)

Tandem 0.5.10 opens the enterprise connector source-binding workstream. The
focus is safe ingestion governance for hosted and enterprise deployments:
connector credentials as secret references, source bindings mapped to
ResourceRef and DataClass, quarantine/revoke/rotate workflows,
resource-scoped memory retrieval, and hosted authorization hardening around
who may bind company data into Tandem.

This unreleased line currently contains the contract foundation, enterprise
admin shell, storage-backed organization-unit registry, and storage-backed
source-binding registry. Manual memory imports can now optionally target an
enabled source binding so imported chunks carry resource and data-class
metadata. Google Drive now has a guarded admin-triggered import path; Notion,
GitHub, Slack, Gmail, live OAuth, background workers, and production connector
automation remain follow-up implementation phases.

Enterprise Connector Source Binding

  • Added transport-safe enterprise contract types for connector instances,
    connector lifecycle state, connector credential references, credential
    classes, source binding state, ingestion policy, source objects, ingestion
    jobs, ingestion quarantine, quarantine dispositions, and scoped memory chunk
    references.
  • Added generic organization-unit taxonomy contract types so admins can model
    company-specific domains such as HR, Doctors, Consultants, Claims Adjusters,
    Board Members, or Platform Oncall without hardcoded Tandem roles.
  • Organization-unit memberships can feed ScopedGrant through the new
    organization-unit membership grant source while preserving the existing
    principal/resource/data-class projection model.
  • Added enterprise admin endpoints for org-unit and source-binding management.
    Organization units now have tenant-scoped storage-backed create/list behavior;
    source bindings now have tenant-scoped storage-backed create/list/update
    behavior with ResourceRef tenant validation and admin-gated mutations.
  • Verified hosted context now preserves signed assertion roles so enterprise
    admin mutations can fail closed unless the Tandem-signed hosted context
    carries admin/owner/reconfigure authority.
  • Added a hidden-by-default Enterprise admin page in the control panel. It reads
    the storage-backed org-unit and source-binding endpoints, displays
    tenant/principal context, creates org units and source bindings, and can move
    source bindings between enabled, disabled, and quarantined states.
  • Connector credential references carry only SecretRef metadata and default
    to read-only credentials. They intentionally do not model raw credential
    values.
  • Source bindings map external source roots to Tandem ResourceRef and
    DataClass values, giving manual upload and future external connectors a
    common resource-scoped ingestion contract.
  • Manual memory imports accept an optional source_binding_id, fail closed if
    the binding is outside the tenant or disabled for indexing, and stamp chunks
    with source-binding, resource, data-class, and source-object metadata while
    preserving local/default import behavior when unset.
  • Source-bound vector memory now fails closed before ranking. Chunks stamped
    with enterprise source-binding metadata are hidden unless the caller supplies
    a strict tenant access projection with a matching Read grant for the bound
    ResourceRef and DataClass.
  • Governed/global memory search now applies the same source-binding guard.
    Records with enterprise source-binding metadata are filtered out unless the
    verified tenant assertion carries a strict projection with matching
    resource/data-class read authority.
  • Response-cache entries can now be partitioned by tenant and source binding,
    and invalidated for a specific binding. Source-binding admin changes emit an
    invalidation-required event so future cache consumers can purge stale answers
    after disable, quarantine, revoke, or permission changes.
  • Tool schemas now have additive enterprise security descriptors covering
    required permissions, resource kinds, data classes, admin surfaces, external
    side effects, credential access, and default visibility. Built-in tools emit
    descriptors from their metadata, and unannotated MCP/provider tools can be
    classified conservatively before future discovery masking and execution
    enforcement.
  • The embedded MCP catalog now carries security metadata for servers and
    cataloged tools. Catalog-provided overrides can mark sensitive tools as
    admin/credential/hidden, while unannotated tools receive conservative
    descriptors from catalog context and action classification.
  • Operators can provide JSON/YAML MCP tool-security overrides with
    TANDEM_MCP_TOOL_SECURITY_OVERRIDES_PATH, allowing enterprise deployments to
    tune server and per-tool security descriptors without rebuilding the embedded
    catalog.
  • mcp_list now applies discovery authorization when a signed strict tenant
    projection is present. Unauthorized MCP tools are removed from the discovery
    inventory before the model can see them; local/unscoped discovery remains
    unchanged.
  • Provider/model calls now apply the same strict projection to advertised tool
    schemas before invocation. Unauthorized admin, credential, execute, or
    resource-scoped tools are omitted from the provider-visible tool list while
    local/unscoped sessions remain compatible.
  • Source-bound manual uploads now create durable source-object lifecycle
    records keyed by tenant, source binding, and native object identity. Changed
    documents keep the same source object ID while their hashes update, and
    sync_deletes tombstones removed uploads so later admin workflows can
    reindex, delete, or re-scope by binding/resource.
  • Enterprise admins can now list source-object lifecycle records for a source
    binding, request reindex by purging stale chunks/import index rows, hard
    delete a source object and indexed content, or re-scope its resource/data
    class metadata. Each mutation reuses enterprise admin authorization and emits
    source-binding cache invalidation.
  • The hidden Enterprise admin page now exposes those source-object lifecycle
    rows for a selected source binding and provides reindex, delete, and re-scope
    controls from the hosted admin UI.
  • Hosted/enterprise manual memory imports now require source_binding_id so
    company data is scoped to a ResourceRef and DataClass before indexing.
    Local/default imports can still remain unbound for non-enterprise installs.
  • Local/default manual memory imports can now opt into the generated
    local_manual_upload binding. This gives local installs source-object
    lifecycle tracking under an internal document_collection scope without
    forcing legacy unbound imports to migrate immediately.
  • The enterprise connector trust-proof matrix now has explicit coverage for
    hosted non-admin connector creation denial, source-bound upload
    ResourceRef lifecycle stamping, and same native source IDs remaining
    tenant-scoped.
  • Source-bound memory retrieval now has explicit tenant-isolation proof: tenant
    A cannot retrieve tenant B chunks even when the binding ID, native object
    path, and search phrase overlap.
  • Source-object re-scope now has explicit purge coverage: old indexed chunks
    are deleted before lifecycle metadata moves to the new resource/data class,
    preventing stale prompt context from surviving permission changes.
  • Source-bound prompt-context assembly now has explicit regression coverage:
    source-bound current-session and history chunks are excluded from assembled
    prompt context unless a strict tenant projection grants read access to the
    bound ResourceRef and DataClass.
  • Governed memory list responses now apply the source-bound visibility guard
    before returning metadata, preventing list/citation browser surfaces from
    exposing source-object IDs, native object paths, or binding IDs without a
    strict read grant.
  • Coder governed-memory hit artifacts now fail closed for source-bound records,
    with coverage proving coder memory-hit responses do not expose source-object
    IDs, native object paths, or binding IDs without a strict read grant path.
  • Automation upstream evidence now filters source-bound internal identifiers
    from read paths, discovered paths, and citations before downstream workflow
    nodes can reuse them as citation evidence.
  • Strict session KB grounding now ignores source-bound internal identifiers
    when extracting source labels and document refs, preventing KB citation
    renderers from exposing source-object metadata.
  • Disabling or quarantining a source binding now purges indexed content for its
    lifecycle records and tombstones affected source objects, closing the
    binding-level stale prompt-context path after permission changes.
  • Prompt-context injection and coder duplicate-memory scans now skip
    source-bound governed records by default, closing remaining local/default
    memory caller gaps when no strict grant projection is available.
  • Managed hosted detection now reports hosted auth availability separately, so
    disconnected local test deployments can still use the engine-token sign-in
    path while connected hosted servers keep Tandem hosted login enforcement.
  • Connector instances now have storage-backed tenant-scoped admin endpoints for
    lifecycle management. Source-bound imports require the referenced connector
    to exist and be active, so paused, revoked, or quarantined connectors block
    ingestion before data reaches memory.
  • The hidden Enterprise admin page can now create connector lifecycle records,
    list tenant-scoped connector status, and pause, revoke, quarantine, or
    reactivate connectors from the control panel.
  • Enterprise organization-unit memberships now have tenant-scoped runtime
    storage, admin-gated create/list/update endpoints, and hidden admin UI
    controls for assigning hosted users, groups, agents, and service accounts to
    company-defined units such as departments, clinical roles, consultants, or
    executive groups. This is the first Phase H execution slice for turning
    company taxonomy into future signed grant projection.
  • Organization-unit access grants now provide the missing access-rule layer
    between company taxonomy and resource/data-class permissions. Enterprise
    admins can create tenant-scoped unit grants, preview the effective
    ScopedGrant projection for a member, and disable grants before the global
    signing middleware begins appending those projections to verified strict
    contexts.
  • Signed hosted/enterprise request ingress now appends active
    organization-unit membership grants into existing verified strict contexts.
    This makes company-defined units such as departments, clinical groups, or
    consultant groups available to strict runtime access checks while preserving
    fail-closed behavior for assertions that do not already carry a strict
    projection.
  • Added denial-focused strict-context tests for department and executive
    access: finance grants do not reveal engineering source data, engineering
    grants do not reveal HR compensation records, CEO/global access is explicit,
    and CEO-spawned agents remain narrow unless the signed projection delegates
    broader access.
  • Fintech audit package assembly now filters scoped artifacts before export.
    Artifacts carrying ResourceRef and DataClass metadata are included only
    when a strict projection grants Read for that resource/data class; scoped
    artifacts are excluded with an audit-package limitation when authorization is
    missing.
  • Connector credential-reference admin endpoints now accept and rotate
    SecretRef records without accepting raw credential values. Credential refs
    are tenant-validated, can be source-bound to a resource, and are visible in
    the hidden Enterprise admin page as metadata only.
  • Source-bound manual memory imports now write persisted enterprise ingestion
    job audit records with connector/binding scope, job state, timing, and
    touched source-object IDs. The hidden Enterprise admin page can inspect these
    records for a selected binding.
  • Review-required source bindings now create persisted quarantine records and
    remove newly indexed chunks before they can be retrieved. Enterprise admins
    can review quarantines from the runtime or hidden admin page and mark a
    release, delete, or reindex disposition.
  • Connector revoke/rotate response handling now has an admin-visible impact
    summary. The runtime and hidden Enterprise admin page can report affected
    bindings, source objects, ingestion jobs, quarantines, compromise window, and
    recommended response actions for a connector. Compromise-window timing includes
    source-object lifecycle timestamps so uploaded/indexed content bounds the
    audit window.
  • Source-binding, source-object, quarantine-review, connector lifecycle, and
    connector credential changes now invalidate matching source-bound response
    cache entries when the response cache is present.
  • Google Drive is now exposed as the first constrained enterprise connector
    provider with v1 read-only/source-bound credential policy guardrails. The
    runtime now includes a read-only Drive client for folder listing, stored-file
    download, and Google Workspace export, plus a runtime-only env://...
    secret-ref resolver and admin-gated source-binding preflight endpoint for
    local bearer-token testing.
  • The first admin-triggered Google Drive import endpoint now reuses those
    guardrails to fetch supported Drive documents into a stable source-binding
    namespace, create ingestion job and source-object lifecycle records, honor
    review-required quarantine, and invalidate source-bound response-cache entries
    after indexing. This remains an admin-controlled v1 path, not broad automatic
    OAuth ingestion.
  • The hidden Enterprise admin page can now run Google Drive source-binding
    preflight, trigger the admin-controlled import endpoint, and refresh
    source-object, ingestion-job, quarantine, and connector-impact views around
    the selected binding.
  • The Google Drive import path now has HTTP-level regression coverage proving a
    review-required source binding records a quarantined ingestion job,
    source-object lifecycle row, and quarantine record while keeping resolved
    credential material out of responses.
  • Google Drive enterprise preflight and import route handling now live in a
    focused HTTP module, keeping connector-specific orchestration separate from
    the general enterprise admin routes as more connector behavior lands.
  • Organization-unit and ingestion/source-object lifecycle endpoints also now
    live in focused enterprise HTTP modules, keeping the primary enterprise admin
    route file under the source-size guideline before the next connector work.
  • Google Drive source bindings now have an explicit admin re-fetch/reindex
    operation. It reuses the read-only source-bound credential checks and stable
    binding namespace, records ingestion jobs, honors quarantine policy, evicts
    source-bound cache entries, and keeps resolved credential material out of
    responses.
  • Ingestion gating helpers model the required fail-closed behavior for paused,
    revoked, or quarantined connectors, disabled bindings, and review-only
    ingestion policy.
  • Added the internal enterprise connector source-binding Kanban covering
    rollout phases, mitigations, memory/retrieval implications, denial tests,
    and open ownership decisions.

Full Changelog: v0.5.9...v0.5.10

Assets 31
Loading