release: v0.17.5 — Bug Hunt & Async Guardrails by johnnichev · Pull Request #29 · johnnichev/selectools

johnnichev · 2026-03-24T02:31:53Z

Summary

91 validated bug fixes across 7 subsystems + async guardrails feature.

Critical fixes (13)

Path traversal in JsonFileSessionStore
Unicode homoglyph bypass in injection screening
FallbackProvider stream circuit breaker
Gemini tool-call crash
astream() model_selector broken
MCP tools broken in sync mode
Hybrid search O(n²) → O(1)
SQLiteVectorStore thread safety
Crash-safe file writes
Eval regex crash + JSON validity

High fixes (26)

16 LLM evaluators silent pass on unparseable scores
XSS in eval dashboard
Missing async observer events in arun/astream exit paths
SSN regex false positives on ZIP+4
Coherence cost tracking + fail_closed option
Plus 16 more across tools, RAG, memory, security

Medium + Low (52)

datetime.utcnow → timezone-aware UTC throughout
SQLite WAL + indexes for all stores
Non-deterministic hash() → hashlib.sha256
OpenAI embed batching, bool/int validation, and 40+ more

New feature

Async guardrails — Guardrail.acheck() + GuardrailsPipeline.acheck_input/acheck_output + agent wiring. arun()/astream() no longer block the event loop.

Test plan

40 new regression tests for critical + high fixes
Full suite: 2037 passed, 0 failures
Pre-commit hooks: black, isort, flake8, mypy, bandit all pass
Docs build clean
All 91 fixes validated by dedicated validation agents reading actual code

🤖 Generated with Claude Code

Security: - Path traversal in JsonFileSessionStore — validate session_id (#9) - Unicode homoglyph bypass in injection screening — NFKD + zero-width strip + homoglyph map (#13) Data integrity: - FileKnowledgeStore._save_all() atomic write via tmp + os.replace (#10) - JsonFileSessionStore.save() atomic write (#31) Agent core: - astream() uses self._effective_model (was self.config.model) (#1) - Sync _check_policy rejects async confirm_action with clear error (#2) - Sync _streaming_call isinstance(chunk, str) guard (#18) Providers: - FallbackProvider stream()/astream() record success after consumption, not before — circuit breaker now works for streaming (#3) - Gemini response.text ValueError catch for tool-call-only responses (#4) Tools: - aexecute() uses run_in_executor(None) shared executor (#5) - execute() awaits coroutines from async tools via asyncio.run (#6) RAG: - Hybrid search O(n²) → O(1) via text_to_key dict lookup (#7) - SQLiteVectorStore thread safety + WAL mode (#8) Evals: - OutputEvaluator catches re.error on invalid regex (#11) - JsonValidityEvaluator respects expect_json=False (#12) 16 new regression tests. Full suite: 2000 passed.

Agent core observers (6 fixes): - astream() cancellation/budget paths now build proper results with trace steps and async observer events (#14) - arun() fires async observers for cancel/budget/max-iter (#15) - _aexecute_tools_parallel fires async observer events (#16) - _aexecute_tools_parallel tracks tool_usage/tool_tokens (#17) - _acheck_policy fires async on_policy_decision observer (#10M) - astream() max-iter path fires async on_run_end (#12M) Tools + providers (7 fixes): - Anthropic empty content list guard (#19) - Bool rejected for int/float params (#20) - ToolRegistry.tool() has screen_output/terminal/requires_approval (#21) - MultiMCPClient list_all_tools() copies tools before prefixing (#22) - Streamable-http 3-tuple unpacking robust handling (#23) - _serialize_result returns "" for None (#24) - StructuredOutputEvaluator handles __slots__ (#45) RAG (6 fixes): - SQLiteVectorStore search documented limitation (#25) - InMemoryVectorStore max_documents warning (#26) - Pinecone metadata.get instead of .pop (#27) - ContextualChunker None content guard (#28) - Filter overfetch: top_k*4 when filter present (#29) - OpenAI embed_texts batching at 2048 (#30) Memory (5 fixes): - FileKnowledgeStore reads under lock (#32) - SQLiteSessionStore WAL mode (#33) - SQLiteKnowledgeStore indexes on query columns (#34) - query() LIMIT after TTL filter (#35) - Redis save() category update in pipeline (#36) Evals (4 fixes): - 16 LLM evaluators fail on unparseable score (#37) - XSS fix: textContent instead of innerHTML (#38) - Donut SVG 360° arc: two semicircles (#39) - Suite completed counter under threading.Lock (#46) Security (5 fixes): - REWRITE/WARN guardrails tracked in trace (#40) - SSN regex requires consistent separators (#41) - Topic guardrail Unicode normalization (#42) - Coherence usage tracked in agent costs (#43) - Coherence fail_closed option (#44) Full suite: 2013 passed.

Agent core (4): - tool_timeout_seconds=0.0 now enforces timeout (was treated as None) - Coherence text extracted before guardrails (sees original, not redacted) - History >200 messages without memory emits warning - TODO comment for async guardrails Providers (2): - _openai_compat timeout=None no longer passed to SDK - TOOL message tool_call_id defaults to "unknown" not None RAG (7): - Non-deterministic hash() → hashlib.sha256 in SQLite, Chroma, Pinecone stores - TextSplitter length_function documented as character-count only - Loader recursive param logic simplified - InMemory delete batched (single np.delete call) - Loader print → logging.warning Tools (3): - ToolLoader sanitizes hyphenated filenames - ToolLoader narrows exception handling + adds logging - MCP unused import removed, _loop timeout added Memory (8): - Redis TTL=0 handled correctly (is not None check) - ConversationMemory.clear() resets _summary - KG LIKE wildcards escaped - KnowledgeMemory _enforce_max_entries uses query-based count - JsonFileSessionStore.load() expiry check inside lock - Redis count() documented as potentially stale - datetime.utcnow → datetime.now(timezone.utc) throughout - EntityMemory build_context uses locked property Evals (5): - Regression/snapshot key collision fixed with index suffix - from_dicts copies metadata before mutating - serve.py shared state documented - __main__.py exit code scoped to run command only Security (6): - FormatGuardrail fails when required_keys on non-dict JSON - deny_when evaluates with empty tool_args dict - Audit logs tool_args in policy decisions - Coherence uses exact word match (not prefix) - Coherence usage tracked + fail_closed option - PII email regex pipe removed, toxicity threshold 0.0→0.1 Full suite: 2013 passed.

- Bug #2: async confirm_action guard in sync _check_policy (was overwritten by Batch 2) - Bug #8: SQLiteVectorStore WAL mode + threading.Lock (was overwritten by Batch 3) - Bug #10: FileKnowledgeStore atomic write via tmp + os.replace (was overwritten by Batch 3) - Fix SQLite test cleanup for WAL mode extra files

HIGH fixes recovered: - Bug #22: MultiMCPClient copy.copy(tool) before prefix mutation - Bug #26: InMemoryVectorStore max_documents capacity warning - Bug #27: Pinecone metadata.get not .pop (stops mutating response) - Bug #28: ContextualChunker (content or "").strip() None guard - Bug #29: InMemoryVectorStore overfetch top_k*4 when filter present - Bug #36: Redis save() category srem moved into pipeline - Bug #38: XSS fix — createElement/textContent replaces innerHTML - Bug #41: SSN regex uses strict alternation (?:\d{3}-\d{2}-\d{4}|\d{9}) LOW fix: - Bug #35: KnowledgeMemory.remember() uses UTC consistently - Fixed naive/aware datetime comparison in prune_old_logs - Updated tests to use UTC dates Full suite: 2013 passed.

Covers: path traversal, Unicode bypass, atomic writes, async confirm_action, ToolCall stringification, async tool execute, None serialization, bool/int validation, hybrid search O(1), regex crash, JSON validity, SSN regex, coherence usage+fail_closed, LLM evaluator parse failure, donut SVG, memory clear summary, datetime UTC awareness.

Guardrail base class: - Added async def acheck() with default asyncio.to_thread fallback - Subclasses can override for native async (e.g. LLM-based guardrails) GuardrailsPipeline: - Added acheck_input() and acheck_output() with _arun_chain() - Mirrors sync pipeline but calls acheck() on each guardrail Agent core: - Added _arun_input_guardrails() and _arun_output_guardrails() - arun() and astream() use async guardrails via skip_guardrails flag - run() still uses sync guardrails (unchanged behavior) This fixes the event loop blocking issue where sync guardrails in arun()/astream() could stall the entire async application.

- Test count: 2113 → 2183 across all docs and landing page - README.md: fix stale 2082 reference - CLAUDE.md: add 5 new Common Pitfalls (#14-#18) from bug hunt - FallbackProvider stream success recording - astream() must use _effective_model - Async observer events in all exit paths - datetime.utcnow deprecated - Guardrails have async support - Fix _openai_compat _format_tool_call_id None return (mypy)

91 validated bug fixes across 7 subsystems (13 critical, 26 high, 30 medium, 22 low). Async guardrails for non-blocking arun()/astream(). 40 new regression tests. 5 new Common Pitfalls in CLAUDE.md.

Addresses 4 items from the latest Galaxy S23 review round plus one new desktop instruction. 1. **Hidden nav drawer leaving a visible line at the top of the header** (Image #29): the previous `transform: translateY(-110%)` with a `border-bottom: 1px solid` on .nav-drawer was leaving a faint sub-pixel artifact depending on viewport/DPR. Replaced with `opacity: 0 + visibility: hidden + transform: translateY(-8px)`, using transition-delay to sequence visibility correctly on open (immediate) vs close (after fade-out completes). The drawer is now completely invisible and non-interactive when closed — no peek, no interactive hit zone. 2. **Huge gap between "24 Built-in Tools" and "Multi-Agent Orchestration" on mobile** (Image #30): the `mt-16` (64px) between the grid-4 and grid-2 card sections created a visible "end of section" break mid-content when both collapse to single column. Added a mobile/touch override that reduces mt-16 to match the in-grid gap (14px), so the cards read as one continuous list. 3. **pip install button looks bad on desktop** (Image #31): completely replaced the old .btn-pip squished-text button with a full terminal install component inspired by the nv-context-landing pattern the user pointed at. Structure: ┌─ ● ● ● ~/your-project [Copy] ─┐ │ │ │ $ pip install selectools█ │ │ │ └────────────────────────────────────────────────────┘ - Rounded container with cyan-tinted hover glow - Mac-style traffic-light dots (red/yellow/green) - `~/your-project` filename in the chrome - `$ pip install selectools` with cyan prompt, white cmd, blinking cyan caret - Reveal-on-hover "Copy" button (always visible on touch) - Whole component is click-to-copy with Enter/Space keyboard support - "Copied" flash on the Copy button + bottom toast notification - Full clipboard API with execCommand fallback for insecure contexts Replaces the old `<button class="btn btn-pip">` + `copyPip()` JS. The "Try the Builder" and "Read the Docs" buttons move below as a standard two-button CTA row. Far more visually distinctive and intuitive than a button labeled "pip install selectools". 4. **Desktop header auto-hide** (new instruction): removed the nav-hide-on-scroll-down behavior on desktop too. The header now stays permanently fixed on all viewports — the previous progressive-enhancement auto-hide was confusing even on desktop. Also removed the now-dead .nav-hidden CSS class and the `allowHide` logic in the scroll-progress IIFE. Also cleaned up: - Removed `.nav-drawer { display: block }` overrides from both media queries — the drawer is always `display: block` default now, with visibility controlling appearance. Simpler, fewer rules. - Added `.terminal-body .caret` and `.terminal-install:hover` neutralization in the prefers-reduced-motion block. - Added `@media (hover: none)` guard to prevent transform lift on touch.

…43) Addresses 4 items from the latest Galaxy S23 review round plus one new desktop instruction. 1. **Hidden nav drawer leaving a visible line at the top of the header** (Image #29): the previous `transform: translateY(-110%)` with a `border-bottom: 1px solid` on .nav-drawer was leaving a faint sub-pixel artifact depending on viewport/DPR. Replaced with `opacity: 0 + visibility: hidden + transform: translateY(-8px)`, using transition-delay to sequence visibility correctly on open (immediate) vs close (after fade-out completes). The drawer is now completely invisible and non-interactive when closed — no peek, no interactive hit zone. 2. **Huge gap between "24 Built-in Tools" and "Multi-Agent Orchestration" on mobile** (Image #30): the `mt-16` (64px) between the grid-4 and grid-2 card sections created a visible "end of section" break mid-content when both collapse to single column. Added a mobile/touch override that reduces mt-16 to match the in-grid gap (14px), so the cards read as one continuous list. 3. **pip install button looks bad on desktop** (Image #31): completely replaced the old .btn-pip squished-text button with a full terminal install component inspired by the nv-context-landing pattern the user pointed at. Structure: ┌─ ● ● ● ~/your-project [Copy] ─┐ │ │ │ $ pip install selectools█ │ │ │ └────────────────────────────────────────────────────┘ - Rounded container with cyan-tinted hover glow - Mac-style traffic-light dots (red/yellow/green) - `~/your-project` filename in the chrome - `$ pip install selectools` with cyan prompt, white cmd, blinking cyan caret - Reveal-on-hover "Copy" button (always visible on touch) - Whole component is click-to-copy with Enter/Space keyboard support - "Copied" flash on the Copy button + bottom toast notification - Full clipboard API with execCommand fallback for insecure contexts Replaces the old `<button class="btn btn-pip">` + `copyPip()` JS. The "Try the Builder" and "Read the Docs" buttons move below as a standard two-button CTA row. Far more visually distinctive and intuitive than a button labeled "pip install selectools". 4. **Desktop header auto-hide** (new instruction): removed the nav-hide-on-scroll-down behavior on desktop too. The header now stays permanently fixed on all viewports — the previous progressive-enhancement auto-hide was confusing even on desktop. Also removed the now-dead .nav-hidden CSS class and the `allowHide` logic in the scroll-progress IIFE. Also cleaned up: - Removed `.nav-drawer { display: block }` overrides from both media queries — the drawer is always `display: block` default now, with visibility controlling appearance. Simpler, fewer rules. - Added `.terminal-body .caret` and `.terminal-install:hover` neutralization in the prefers-reduced-motion block. - Added `@media (hover: none)` guard to prevent transform lift on touch.

johnnichev added 9 commits March 23, 2026 21:20

release: v0.17.5 — Bug Hunt & Async Guardrails

cbec4f2

91 validated bug fixes across 7 subsystems (13 critical, 26 high, 30 medium, 22 low). Async guardrails for non-blocking arun()/astream(). 40 new regression tests. 5 new Common Pitfalls in CLAUDE.md.

johnnichev merged commit b6275fe into main Mar 24, 2026
1 check passed

johnnichev deleted the fix/bug-hunt-v0.17.5 branch March 24, 2026 02:32

johnnichev mentioned this pull request Apr 7, 2026

fix(landing): iter 3 — terminal install, fixed header, drawer polish #43

Merged

21 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

release: v0.17.5 — Bug Hunt & Async Guardrails#29

release: v0.17.5 — Bug Hunt & Async Guardrails#29
johnnichev merged 9 commits intomainfrom
fix/bug-hunt-v0.17.5

johnnichev commented Mar 24, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant