Skip to content

Tandem v0.5.9

Choose a tag to compare

View all tags
@github-actions github-actions released this 20 May 23:16
· 248 commits to main since this release
v0.5.9
1398745
This commit was signed with the committer’s verified signature.
tacshade TacShade
GPG key ID: 006AED97DDA2979A
Verified
Learn about vigilant mode.

See the assets below to download the installer for your platform.

v0.5.9 (Unreleased)

Tandem 0.5.9 continues the hosted tenant-isolation work for Automation V2. The
focus is denial-driven hardening for background and applied automation paths:
scheduled runs, watch-triggered runs, stale recovery, imported/applied
definitions, Automation V2 event visibility, runtime route isolation, provider
and MCP credential boundaries, vector-backed memory partitioning, and the first
coder artifact tenant boundary. The current unreleased work also starts the
workspace access-control contract layer for Google Workspace-style company data
and resource grants.

Enterprise Workspace Access Control

  • Added public enterprise contract vocabulary for organization/workspace/
    department/project/resource hierarchies: ResourceKind,
    ResourcePathSegment, ResourceRef, and ResourceScope.
  • Added access-control vocabulary for View, Read, Edit, Execute,
    Delegate, and Admin, plus data classes such as executive, credential,
    source-code, customer-data, and financial-record scopes.
  • Added normalized principal references for humans, groups, departments, agent
    workers, automations, service accounts, external delegates, and support
    operators.
  • Added GrantSource and ScopedGrant so access can be attributed to direct
    assignment, group membership, department membership, inherited grants,
    explicit executive/global grants, delegated projections, or break-glass
    authority.
  • Added StrictTenantContext, DataBoundary, and AssertionMetadata as the
    additive strict context object for hosted/enterprise projections over tenant
    context, principals, authority chains, resource scopes, grants, data-class
    boundaries, and signed assertion metadata.
  • Added allow/deny grant effects, structured access decisions, and
    StrictTenantContext evaluation helpers so explicit denies win over
    inherited allows, projected resource scopes bound access, expired grants do
    not apply, and project grants can authorize path-scoped resources.
  • Extended Tandem context assertion claims with optional principal,
    resource-scope, scoped-grant, and data-boundary projection fields. Existing
    tenant-only v1 assertions remain valid and deserialize without strict
    projection data.
  • Added a typed enterprise signing-key purpose vocabulary for context
    assertions, approval receipts, delegation projections, A2A peer assertions,
    and break-glass/admin assertions.
  • Added hosted context assertion key metadata checks so keyring entries can
    bind a public key to the context_assertion purpose, org/deployment,
    allowed audiences, allowed resource-scope prefixes, activation windows, and
    active status while preserving legacy string and delimited key formats.
  • Re-exported the new contract vocabulary through tandem-types.
  • Added contract tests covering Finance department data access, Engineering
    repository path scopes, cross-functional group access, CEO org-wide executive
    grants, MCP tool resource targets, expiring delegated vendor-agent access,
    data-boundary denials, project-scoped agent projections, explicit deny
    precedence, expired grants, narrow delegation, scoped assertion projections,
    and legacy assertion compatibility.
  • Added the first hosted control-panel login exchange: managed hosted panels
    redirect users through https://tandem.ac, Tandem-web authorizes hosted org
    membership, the VM exchanges a one-time code with its host-agent token, and
    the browser receives only a panel session while the engine token remains a
    server-side root transport secret.

Hosted Runtime Ingress

  • Hosted and enterprise runtime modes now require a configured deployment
    transport token before accepting requests.
  • Verified hosted context assertions must carry explicit deployment-scoped
    tenant context rather than local_implicit.
  • Context assertion verification now rejects authority chains whose initiating
    actor does not match the signed human actor.
  • Request principals derived from signed context now use the verified assertion
    issuer as their source, preserving the Tandem control-plane trust boundary.
  • Managed hosted control panels now forward Tandem-signed context assertions to
    the engine proxy and hide customer dashboard engine-token reveal for managed
    deployments.

Automation V2 Tenant Isolation

  • Workflow planner apply, mission builder apply, and channel automation draft
    confirm now stamp persisted Automation V2 definitions from the request
    TenantContext.
  • Automation V2 create/apply payloads cannot switch tenant context through
    embedded metadata.
  • Scheduled/background-created runs inherit the stored automation tenant.
  • Watch-condition runs now inherit the owning automation tenant instead of
    falling back to local_implicit.
  • Automation V2 context-run blackboard sync inherits the run tenant, so
    background-created context runs do not silently become local implicit.
  • Stale reaping and auto-resume regression coverage now proves explicit run
    tenant context survives recovery without an active HTTP request.
  • Scheduler-published Automation V2 run-created events now include top-level
    tenantContext, allowing hosted/global SSE filters to enforce tenant
    visibility.
  • Added finite-body Automation V2 SSE coverage proving a tenant stream receives
    its own event and does not receive another tenant's event.

Runtime Tenant Isolation

  • Session routes now enforce tenant ownership for list, get, delete, messages,
    prompting, attach, and workspace-override flows.
  • Global event streams filter emitted events by tenant context so hosted
    tenants do not receive unrelated runtime events.
  • Context-run internal routes are hardened by tenant for events/SSE, blackboard
    access, task claim/transition, checkpoints, replay, and ledger state.
  • Automation V2 run/gate routes reject cross-tenant list, mutation, start,
    inspect, approve, deny, and rework attempts.
  • Legacy workflow routes gained tenant checks so older governance-light paths
    cannot become a bypass around Automation V2 isolation.
  • Coder-created context runs now inherit the request tenant, and coder
    status/list/get/artifact reads are filtered through the linked context run
    tenant.
  • Coder control and artifact-writing routes now require the caller to match the
    owning context run tenant before approving, cancelling, executing, writing
    artifacts, or listing memory candidates. Added denial coverage proving tenant
    B cannot mutate or inspect tenant A's coder run through those routes.

Provider And MCP Secrets

  • Provider credential records are tenant-scoped for hosted/shared runtime mode.
  • Provider create/list/read/update/delete/refresh paths use the request tenant
    and fail closed across tenant boundaries.
  • Store-backed MCP secret references validate tenant scope before lookup.
  • MCP tool execution now receives effective request/session/run tenant context
    so tenant A cannot execute with tenant B's stored MCP secret.
  • Local single-tenant env/store secret behavior is preserved for local mode.

Memory Isolation

  • Governed memory search, list, read, promote, demote, update, and delete paths
    use tenant-aware DB methods.
  • memory_records dedupe and user-created indexes now include tenant scope.
  • Vector-backed session/project/global memory chunks now store tenant
    org/workspace/deployment scope.
  • sqlite-vec top-k memory search filters the chunk table by tenant before
    distance ranking, preventing another tenant's closer vectors from suppressing
    the current tenant's results.
  • Added denial tests for identical vector content, shared source hashes,
    cross-tenant vector search, cross-tenant vector deletes, tenant-scoped memory
    stats, project vector stats, manual clear, and old-session cleanup.
  • Memory manager context retrieval now has tenant-aware APIs that scope recent
    session chunks and vector search before prompt context is assembled.
  • Memory file import/index paths now carry tenant scope through import
    requests, index lookup/update/delete, stale file chunk replacement,
    sync-delete cleanup, project file-index stats, and project file-index clear.
  • Added denial tests proving same project/path imports, identical file chunks,
    index deletes, stats, and clears do not cross tenant boundaries.
  • Memory project/global config rows and old-session hygiene now use tenant
    scope, with tests proving same project ids cannot overwrite retention policy
    or prune another tenant's session memory.
  • Knowledge spaces now include tenant-scoped uniqueness, and knowledge item,
    coverage, promotion, manager, and Automation V2 preflight paths use
    tenant-aware lookups so curated knowledge cannot cross hosted tenant
    boundaries.
  • Existing local memory rows default to local/local during migration.

Automation V2 MCP Diagnostics

  • Required MCP tool validation now reports the exact missing tool ids in
    missing_required_mcp_tools and in required_next_tool_actions, making
    repair prompts specific instead of saying only that required MCP calls were
    incomplete.
  • MCP connector results that return string errors such as MCP error -32602
    are now treated as failed tool results, so invalid connector arguments do not
    satisfy required-tool validation.
  • Structured JSON nodes that declare output_contract.schema now validate the
    final artifact against that schema, so raw MCP account/quota/search payloads
    cannot pass as completed handoff artifacts.
  • Automation V2 node preflight now derives concise MCP tool contracts from the
    offered tool schemas, including required arguments, minimal examples, and
    non-blocking schema warnings that are injected into prompts and diagnostics.
  • MCP contract examples now respect positive minLength constraints for
    required string fields, preventing invalid empty-string examples for tools
    such as Notion search.
  • Structured connector nodes now short-circuit across empty batch, empty
    candidate, empty high-value-contact, and empty write-row handoffs, writing the
    appropriate empty artifact instead of spending calls on account, inventory,
    enrichment, or write checks.
  • Automation blocker panels now read checkpoint lifecycle history in addition
    to node outputs and event streams, surfacing node repair and run pause
    reasons that were previously hidden behind generic blocked status.

Compatibility

  • Local/default single-tenant behavior remains unchanged.
  • This release does not start Zitadel/OIDC, SCIM, private sidecar, broader
    artifact isolation, or audit-export isolation work.
  • File import/index isolation, governed knowledge-memory isolation, and broader
    memory-derived cache hardening remain follow-up work.

Full Changelog: v0.5.8...v0.5.9

Assets 31
Loading