v2.4.0

Highlights

🔒 Security & Trust Boundaries

• Per-arc network trust boundary — agent network access is now gated per-arc, with room-native approval flows (!approve/!deny)
• User allowlist for room messages — restrict who can interact with the bot
• DM rejection for untrusted users when allowlist is active
• Auto-trust URLs with harness-provided auth headers (e.g. files.slack.com)

💰 Budget & Cost Tracking

• BYOK budget tracking with per-user budget & window-hours overrides via policy.json
• Async cost span tracking — background/proactive costs no longer lost on errors
• Configurable warnCostUsd threshold for per-session cost warnings
• 90% quota warning with cooldown; improved !balance output
• Default to no cost limits when freeTierBudgetUsd is unset
• Proactive classifier evals no longer charged to user budgets

🧠 Agent & Memory

• Per-user memory files (workspace/users/<nick>.md)
• Events system improvements — auto-populate threadId, propagate thread context to scheduled events, <thinking> extraction as [internal monologue]
• Improved MEMORY.md guidance (steer toward directives, improve factual recall)
• [internal monologue] responses treated as empty → retry loop

🏠 Gondolin Sandbox

• Playwright + Chromium support inside sandbox
• Import MITM CA into NSS database for Chromium
• Artifact URL interception inside Gondolin
• Arc env injection, session dirs moved to /workspace/.sessions/
• Multiple boot/checkpoint stability fixes (rootfsInitExtra idempotency, checkpoint trailer preservation, PATH fixes)
• Upgraded @earendil-works/gondolin 0.5.0 → 0.7.0

💬 Room Integrations

• Slack: forwarded/shared message attachment extraction, artifact URL → Slack file uploads, files:write scope, app manifest for one-click setup
• IRC: hardened nick extraction (bridge nick> format, valid IRC charset validation)
• Discord/Slack: strip bare leading timestamps from LLM responses
• Concurrent room event processing
• Thread starters included as channel context with reply count annotations

🛠 CLI & Config

• --arc flag for CLI commands to run in a specific arc's context
• Auth tokens (Discord, Slack) moved to auth.json
• Configurable oracle thinking level
• Per-trigger tool config overrides (e.g. skip transcriber for !s)

📦 Infrastructure

• Removed vendored pi fork — now uses upstream @mariozechner/pi-* npm packages directly (upgraded through 0.57→0.64)
• Artifact viewer: PDF support, favicon, mp4/video handling
• SVG images treated as text in visit_webpage
• Web transcriber hardened against hallucination on error pages
• Edit chain properly broken on steering messages

🐛 Notable Fixes

• Prevent cross-thread context leak (preserve threadId on edit lines)
• Fix Slack transport silently dropping messages with only shared content
• Fix OpenRouter model ID version separator normalization
• Reject agent responses that call share_artifact without a URL
• Fix image/jpg → image/jpeg normalization for Anthropic API