Skip to content

Tandem v0.5.13

Choose a tag to compare

View all tags
@github-actions github-actions released this 02 Jun 12:53
· 147 commits to main since this release
v0.5.13
6faf863

See the assets below to download the installer for your platform.

v0.5.13 (2026-06-02)

Tandem 0.5.13 combines the Linear-backed Coder intake work with a focused
runtime security hardening pass. The release tightens local API exposure,
workspace mutation defaults, shell execution, tenant scoping, audit/event
visibility, secret storage, and browser/provider network guardrails.

Coder Linear Intake

  • The Coder control panel can now register ACA projects backed by Linear teams
    and projects, with optional launch-status, label, and search-query filters.
  • The Coder intake board now renders both GitHub Project items and Linear
    issues through one scheduler-aware issue board, including batch launch,
    active-run detection, and direct issue links.
  • Coder overview and intake refresh messaging now reflect the selected issue
    source, including Linear MCP connection state when a Linear-backed project is
    selected.

Automations V2 Reliability

  • Automations V2 completion is now gated by terminal checkpoint integrity and
    contract-aware deliverable assertions instead of only checking for empty
    pending-node queues.
  • Required file deliverables must exist, be substantive, and pass basic shape
    checks; missing or weak deliverables requeue the owning node while repair
    attempts remain.
  • Required email delivery and generic outbound connector actions now need
    successful receipt evidence before the run can complete. Model prose alone no
    longer satisfies governed side effects.
  • Workflow graph validation now rejects dependency cycles and keeps input_refs
    aligned with readiness dependencies, including through budget compaction and
    strict sequential plans.
  • Verification failures now retry through the repair path until attempt budget
    is exhausted, and verification failure detection is scoped to verification
    output rather than unrelated artifact prose.
  • Recoverable tool execution errors are surfaced to the model for adaptation,
    while cancellation, shutdown, runtime-not-ready, and write-required
    permission failures remain loud failures.
  • Timer-triggered automations now dedupe queued/running runs the same way watch
    triggers do, preventing slow scheduled workflows from accumulating backlogs.
  • Parked-state lifecycle handling is explicit: approval gates can be marked as
    visibly stale under a manual-only policy, guardrail-stopped runs can
    auto-resume after approved quota overrides, stale reaping honors active
    run-registry heartbeats, and node execution uses idle/no-progress timeouts
    with an absolute ceiling.
  • Warning outcomes are now consistent across runtime and learning surfaces:
    accepted_with_warnings remains passable only without unmet requirements,
    but it is not counted as a clean workflow-learning validation pass and does
    not generate positive learning evidence.

Runtime Security Hardening

  • Local engine HTTP API startup now refuses unauthenticated non-loopback binds,
    and token-clearing no longer reopens the API.
  • HTTP MCP registration rejects arbitrary stdio: transports.
  • File write, edit, and patch tools now ask by default instead of silently
    mutating the workspace.
  • Batch sub-calls pass through permission and sandbox evaluation so nested tool
    calls cannot skip approval gates.
  • Workspace and write-policy checks fail closed when no workspace root can be
    resolved.
  • Shell execution uses Linux bubblewrap confinement by default, requires
    workspace context, and requires an explicit unsafe opt-out for unsandboxed
    shell execution.
  • Automation auto-approval now treats empty allowlists as deny-all and refuses
    to auto-approve shell tools.
  • Local single-tenant mode ignores caller-supplied tenant headers; hosted and
    enterprise tenant context continues to require signed assertions.
  • Run event streams, audit streams, and project listing now enforce tenant
    ownership/visibility checks.
  • API tokens, vault keys, and TUI keystores are written with owner-only Unix
    permissions, and vault passphrases replace the previous 4-digit PIN model.
  • Browser navigation fails closed without an allowlist and blocks local/private
    targets; provider base URL validation rejects unsafe remote HTTP endpoints.
  • Provider credential debug output and bug-monitor log redaction now avoid
    leaking plaintext secrets.

Compatibility Notes

  • Linux hosts that need shell execution must have bubblewrap available, or
    explicitly set TANDEM_UNSAFE_UNSANDBOXED_SHELL=1 for trusted local-only
    development.
  • Local clients should rely on the generated/shared API token rather than
    clearing token auth during development.

Full Changelog: v0.5.12...v0.5.13

Assets 15
Loading