Skip to content

release: v0.16.4 — parallel execution safety + bug fixes#6

Merged
johnnichev merged 1 commit intomainfrom
release/v0.16.4
Mar 15, 2026
Merged

release: v0.16.4 — parallel execution safety + bug fixes#6
johnnichev merged 1 commit intomainfrom
release/v0.16.4

Conversation

@johnnichev
Copy link
Copy Markdown
Owner

@johnnichev johnnichev commented Mar 15, 2026

Summary

  • Fixed parallel tool execution security gaps — coherence checks and output screening were missing from both sync and async parallel execution helpers
  • Fixed astream() usage tracking — inline provider calls now feed into self.usage
  • Fixed input guardrail mutation_prepare_run() no longer mutates caller's Message objects
  • Fixed ask/aask API gap — both convenience methods now accept parent_run_id

Test plan

  • 1477 tests pass (15 new regression tests)
  • black, isort, flake8, mypy all clean
  • All pre-commit hooks pass

🤖 Generated with Claude Code

@johnnichev
release: v0.16.4 — parallel execution safety + bug fixes
054a97a 
Fix 5 bugs found during deep audit:
- Parallel tool execution missing coherence checks (security)
- Parallel tool execution missing output screening (security)
- astream() inline provider calls not tracking usage
- Input guardrails mutating caller's Message objects
- ask()/aask() missing parent_run_id parameter

15 new regression tests (total: 1477).
@johnnichev johnnichev merged commit 1658022 into main Mar 15, 2026
1 check passed
@johnnichev johnnichev deleted the release/v0.16.4 branch March 15, 2026 15:48
johnnichev added a commit that referenced this pull request Mar 24, 2026
@johnnichev
fix: batch 1 — 13 critical bug fixes from bug hunt
6268b32 
Security:
- Path traversal in JsonFileSessionStore — validate session_id (#9)
- Unicode homoglyph bypass in injection screening — NFKD + zero-width
  strip + homoglyph map (#13)

Data integrity:
- FileKnowledgeStore._save_all() atomic write via tmp + os.replace (#10)
- JsonFileSessionStore.save() atomic write (#31)

Agent core:
- astream() uses self._effective_model (was self.config.model) (#1)
- Sync _check_policy rejects async confirm_action with clear error (#2)
- Sync _streaming_call isinstance(chunk, str) guard (#18)

Providers:
- FallbackProvider stream()/astream() record success after consumption,
  not before — circuit breaker now works for streaming (#3)
- Gemini response.text ValueError catch for tool-call-only responses (#4)

Tools:
- aexecute() uses run_in_executor(None) shared executor (#5)
- execute() awaits coroutines from async tools via asyncio.run (#6)

RAG:
- Hybrid search O(n²) → O(1) via text_to_key dict lookup (#7)
- SQLiteVectorStore thread safety + WAL mode (#8)

Evals:
- OutputEvaluator catches re.error on invalid regex (#11)
- JsonValidityEvaluator respects expect_json=False (#12)

16 new regression tests. Full suite: 2000 passed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnnichev