Skip to content

v0.29.0 — "Naomi Nagata"

Choose a tag to compare

View all tags
@josephfung josephfung released this 19 May 22:57
· 1320 commits to main since this release
v0.29.0
47aef43

Naomi Nagata (The Expanse, 2011, James S.A. Corey) — chief engineer of the Rocinante: she keeps disparate systems integrated, monitors ship health, and is always the first to notice when something is about to break. This release consolidates the CEO inbox into core, adds self-monitoring alerts for broken and stuck jobs, and hardens the engineering foundation with security scanning and proper binary file handling.

The ceo-inbox agent and all 9 of its skills moved from curia-deploy into curia core, bringing them under CI, real type-checking, and the same test infrastructure as everything else (#592).

Curia gained a new platform capability: TempFileStore, a capability-gated service that writes binary buffers to a noexec tmpfs mount and hands back file:// URLs. Skills opt in via their manifest, and the store sweeps expired files automatically (#624). This unblocked the attachment-to-Drive pipeline — four compounding bugs that prevented email attachments from uploading correctly to Google Drive were resolved by routing binary data through TempFileStore instead of base64 strings (#622, #624).

Beyond attachments, new email folder management skills landed: email-label, email-list-folders, email-create-folder, and email-mark-read.

The system now monitors its own health more actively. SuspensionNotifier emails the CEO when a scheduled job suspends after consecutive failures, bypassing the LLM pipeline entirely so it works even during provider outages (#538). RecoveryNotifier does the same when the watchdog auto-recovers a stuck job (#207).

Entity resolution got smarter with alias-aware searchEntityMemory.search now checks aliases before falling back to vector search, and mergeEntities unions aliases from both nodes (#536). CEO-originated tasks now skip autonomy Gates A and B via principal bypass (spec 14).

On the security front: Semgrep CE runs pattern-based SAST on every PR (#562), per-route rate limiting caps auth endpoints at 10 req/min and KG/health at 60 req/min (#580), HTML sanitization closed 15 CodeQL alerts (#581), Gitleaks blocks merges if secrets are detected (#560), and CodeQL was upgraded to Action v4 with the Node.js 24 runner (#561, #582).

Several bugs were fixed: ceo-inbox-search now uses the correct Nylas v3 parameter, held-messages-process promotes contacts to confirmed before replaying, the self-email loop filter rejects self-sent messages more robustly (#37), and calendar write timestamps now return in local timezone (#369).

the ship runs itself —
alerts hum where silence hid;
the engineer sleeps.

Assets 2
Loading