Stabilization v1: candidate intake

[RaresKeY]

This discussion is for surfacing PRs and issues that should be considered for a maintainer-owned Stabilization v1 milestone.

This came out of an idea @sacb0y raised about using GitHub's existing coordination surfaces more intentionally: #2528 (reply in thread)

Normal contributors cannot create or manage milestones here, so this can be the intake lane: contributors propose candidates, maintainers decide what actually goes into the milestone.

Good candidates:

• security/auth/trust-boundary fixes
• CI, tests, packaging, startup/runtime reliability
• review/process templates that reduce maintainer load
• small cleanup/restructuring PRs with clear validation
• specs/implementation-truth docs that make review safer
• duplicate/overlap cleanup
• platform stabilization, especially Windows/macOS/Linux setup issues
• bugs that unblock many users or reduce repeated reports

Not a good fit:

• broad new features
• large rewrites without an accepted plan
• speculative architecture proposals
• nice-to-have work that does not stabilize the current project

Suggested format for one candidate:

- #1234 — short reason it fits Stabilization v1. Related: #1111, #2222. Status: open PR / open issue / needs validation / overlaps / needs maintainer direction.

Suggested format for multiple candidates:

### Area name

- #1234 — short reason. Related: #1111. Status: open PR.
- #1235 — short reason. Related: #2222, #3333. Status: needs validation.

Please keep comments concrete: links, short reasoning, and related work. The useful part is making high-signal stabilization work easier for maintainers to find, not voting for favorite features.

[RaresKeY]

Curated candidate bucket from the coordination thread plus current PR/issue
state. These are authored/picked items that look relevant to Stabilization v1;
not all are ready to merge as-is, and the intent is maintainer triage.

Review / coordination / decision context

• [Proposal]: CODEOWNERS 🗳️ #593 - CODEOWNERS / area ownership; high-signal review-routing decision
  candidate.
• How should we coordinate as contributors/maintainers? #2528 - contributor/maintainer coordination discussion.
• Proposal: Architecture & Codebase Structure v3 #605 - architecture/codebase structure hub; useful source material for narrow
  stabilization slices, not one implementation candidate.
• Proposal: CI baseline (correctness + security) gate for the repo #2288 - CI baseline correctness/security gate; decision candidate.
• Add PR related-work coordinator bot #3051 - related-work coordinator bot proposal; possible duplicate-work
  reducer, needs maintainer-owned first slice.
• docs: bootstrap specs ground truth #2538 - implementation-truth specs; useful review-context candidate but large
  docs/workflow surface needs maintainer comfort.
• docs: add pull request review template #3128 - compact PR review template; small process helper with green checks.

Security / trust boundaries

• fix(agent): wrap non-native tool results as untrusted data #1629 - wraps non-native tool results as untrusted data; strong candidate.
• Gate API tokens from generic user routes #2992 - gates API tokens from generic user routes; strong candidate.
• Agent mode executes shell commands despite explicit guide-only / no-tools instruction #3068 / fix(agent): enforce guide-only tool policy #3088 - guide-only/no-tools runtime policy; review findings remain.
• Add default-deny API token capability checks for bearer routes #3149 / Harden API token route capabilities #3150 - default-deny API-token route capabilities; Harden API token route capabilities #3150 is draft.
• fix(tools): allowlist command/args/env in manage_mcp 'add' to prevent RCE #438 - manage_mcp add allowlist / RCE hardening; needs re-review.
• fix(security): close DNS-rebinding hole on diffusion_server (wildcard CORS + missing Host check) #347, fix(webhooks): redact IPv6 addresses in sanitized error messages #3038 - DNS-rebinding/CORS and webhook redaction hardening; both fit
  with review/validation caveats.

Owner scope / data isolation / secrets

• fix(routes): owner-scope helper endpoint resolution across authenticated routes #2414, fix(docs): fail closed on null-owner session in document_routes #1449, fix(email): preserve task owner for summary model lookup #2727 - narrow owner-scope/data-isolation fixes; strong candidates.
• Order-dependent test failures + gallery null-owner read bypass when auth is enabled #3148 / fix: test isolation and gallery null-owner scoping #3147 - gallery null-owner scoping/test-order fix; needs review.
• fix(endpoint): scope secondary endpoint lookups by owner #1511 - secondary endpoint owner scoping; approved but still has
  blocked/needs-validation and supersession questions.
• Scope document session links by owner #3005, Admin "wipe memory" doesn't clear the vector index — get_memory_vector_store() missing in src/memory_vector.py #1967 / Fix admin memory-wipe not clearing the vector index (add get_memory_vector_store + clear) #1968, fix: backup import dropping a user's skill on cross-tenant title/id collision #2057, fix(api-keys): preserve encrypted keys when saving providers #1920, fix(security): encrypt CardDAV password at rest in settings.json #1741 - owner-scope, data-cleanup,
  backup-import, API-key, and secret-storage fixes that fit with merge-state or
  review caveats.

Runtime / platform / Cookbook

• fix(cookbook): make pip CUDA llama.cpp builds serve on GPU #2549 - pip-CUDA llama.cpp build/serve repair; strong candidate.
• fix: odysseus-calendar list dropping in-progress / multi-day events #2065 - calendar in-progress/multi-day event listing; strong candidate.
• fix(agent): kill full process tree when stopping tools #2555 - process-tree cleanup when stopping tools; strong but needs review.
• fix(cookbook): Windows local download + serve fixes (bash routing, progress, CUDA llama-server, busy-endpoint watchdog) #3100 - Windows Cookbook/runtime fixes; strong but broad.
• Document library PDF preview blocked by X-Frame-Options and 500s on missing PyMuPDF #2101 / fix(document): allow render-pdf to be framed and 503 cleanly on missing PyMuPDF #2103 - PDF preview/PyMuPDF failure mode; needs frame-header/manual
  preview review.
• fix(compare): poll request.is_disconnected() to stop upstream LLM generation promptly #2157, fix(email): guarantee IMAP conn.logout() on all exception paths #1530, fix(skill-extractor): walk all brace candidates so stray braces in prose do not swallow valid JSON #2205, fix(youtube): initialize chat-path handler in app.py #2281 - runtime/integration fixes where the underlying
  issue fits but live PRs need cleanup, validation, or maintainer re-check.
• Commit dc365a1 breaks tool calling/memory management for local Ollama models on Windows #3141, Fix macOS Quickstart Python Environment Isolation and Add pyenv Support #571, fix(cookbook): shim python3 when it's a Windows Store alias stub #2610, fix(macos): clear error when setup runs under x86/Rosetta Python #941 - Windows/macOS setup/runtime candidates with
  validation or overlap caveats.
• Nvidia-smi shows in docker container but llama.cpp fails to use the GPU #831, Any download inside the app crashes. Cant download dependencies or models. #2008, Cookbook shows "No GPU" with no guidance on how to enable GPU support (Might be an issue for new normal user without much technical knowledge) #316, Cookbook CUDA build fails on split-package distros (Arch/Fedora): cub/cub.cuh not found #2380, Report llama.cpp accelerator capability #1283, fix(cookbook): diagnose llama.cpp CUDA build failures #2554 - GPU/Cookbook/download cluster;
  useful context around fix(cookbook): make pip CUDA llama.cpp builds serve on GPU #2549.

CI / tests / contracts

• test(tool_execution): stop two tests leaking src.tool_execution into the suite #2686 - order-dependent CI/test isolation around src.tool_execution;
  strong candidate.
• tests: Test Hardening and Scalability tracker #2523 - shared test helpers; best treated as narrow helper/isolation slices.
• Document library PDF preview blocked by X-Frame-Options and 500s on missing PyMuPDF #2101 / fix(document): allow render-pdf to be framed and 503 cleanly on missing PyMuPDF #2103 - frontend/backend contract fix.
• Proposal: CI baseline (correctness + security) gate for the repo #2288 - CI baseline gate remains a decision candidate unless maintainers pick
  a concrete first slice.

Model / provider endpoint stability

• Add regression coverage for Z.AI coding endpoint probing #2230 - Z.AI endpoint regression context; linked PR currently conflicted and
  changes-requested.
• feat(llm): detect LM Studio endpoints from their native API #1122 - LM Studio endpoint detection; narrow provider behavior fix.
• Bug: HTTP 400 when using tool calling with Kimi K2.5/K2.6 - reasoning_content field stripped from message history #3118 - Kimi reasoning_content/tool-call failure; concrete issue, root
  cause still needs maintainer confirmation.

[alteixeira20]

Great job putting this together I’ll take a closer look tomorrow and try to expand on it!, thanks for the help and ideas!

[crazyjackel]

#1990 — consistent onboarding-profiles, environments, increased reproducibility; environment disposability for compromise. Improved development security. Related: PR proposal: #2693

[alteixeira20]

I created the Stabilization milestone so we have a concrete place to coordinate the work being discussed here.

I kept the milestone itself short on purpose. This thread should stay the place where people can challenge the structure, suggest better candidates, correct assumptions, and help shape the actual roadmap.

The goal is to turn the existing ROADMAP.md priorities into a practical execution path: small, reviewable work that makes Odysseus easier to install, run, validate, review, maintain, and safely improve.

I think the milestone should stay curated, not become another backlog bucket. A useful first target would be a small set of accepted items, probably around 5-15 live issues/PRs, grouped by stabilization area.

Proposed stabilization areas

Tests and CI signal
Fresh-install smoke tests, focused regression tests, endpoint-level tests, flaky/unclear CI fixes, and validation checks that make PR review safer.

Runtime, install, and platform reliability
Docker, WSL, Linux, macOS, Windows, native Python, Cookbook/runtime issues, startup/setup/update failures, and clearer degraded-state behavior when optional services are unavailable.

Provider and degraded-state reporting
Provider setup/probing reliability, model/provider detection failures, clearer diagnostics, and measurement-first work around prompt/context bloat.

Maintainability and test hardening
Behavior-preserving cleanup only: tests before or alongside extraction, one subsystem per PR, no formatting churn mixed with logic, and no route/API/response-shape changes unless explicitly scoped.

Security and trust boundaries
Auth, token, secret handling, owner-scope, admin-only routes, Docker/network exposure, memory/context injection, tool execution, and prompt-injection risk. I would keep this narrow and maintainer-led, and avoid bundling it with normal cleanup.

Backlog hygiene and implementation-truth docs
Duplicate/overlap mapping, wrong-base PRs, stale or polluted branches, contradictory labels, and docs that match actual implementation behavior.

First candidate registry

This is not a decision list. It is just a first cross-reference pass over the roadmap, discussions, issues, and PRs. Each item should be re-checked live before anything is assigned.

Clean or lower-risk candidates to consider first

• Two order/environment-dependent CI test failures - cookbook venv test and edit_file admin gate #2685 / test(tool_execution): stop two tests leaking src.tool_execution into the suite #2686 - test isolation / CI order failure
• Several hardcoded filesystem paths should use DATA_DIR (cookbook_state, search cache, others) #3331 / fix(cookbook): locate cookbook_state.json via DATA_DIR, not hardcoded /app/data #3332 - cookbook state path under DATA_DIR
• Fresh docker Install: local Ollama problem #1292 / fix(docker): auto-register OLLAMA_BASE_URL as model endpoint on startup #2575 - Docker OLLAMA_BASE_URL startup endpoint

Good candidates after cleanup, rebase, or confirmation

• Agent prompt token bloat: measure, slim, and modularize #2750 / chore(agent): add prompt budget diagnostics #3059 - prompt budget diagnostics
• Nvidia-smi shows in docker container but llama.cpp fails to use the GPU #831 / fix(cookbook): diagnose llama.cpp CUDA build failures #2554 - llama.cpp CUDA diagnosis
• Document library PDF preview blocked by X-Frame-Options and 500s on missing PyMuPDF #2101 / fix(document): allow render-pdf to be framed and 503 cleanly on missing PyMuPDF #2103 - PDF iframe/PyMuPDF fallback

High-risk candidates needing maintainer/security direction

• Add default-deny API token capability checks for bearer routes #3149 / Harden API token route capabilities #3150 - API token default-deny
• fix(endpoint): scope secondary endpoint lookups by owner #1511 - owner-scope endpoint lookup
• Proposal: CI baseline (correctness + security) gate for the repo #2288 / ci: security scanning suite and governance (consolidates #305-310) #1314 - security CI/governance baseline
• Cookbook Codex token scopes are rejected as unknown #3092 / fix: allow cookbook scopes for API tokens #3090 - Cookbook token scopes

How I can help

I can help keep this practical by maintaining a links-only candidate registry, checking overlap before opening new work, validating PR state/checks/labels, and grouping candidates by roadmap area.

For my own contributions, I plan to start with small test/validation work, target dev, keep behavior unchanged unless explicitly scoped, and help existing PRs instead of opening competing ones when someone is already working on the same area.

Feedback welcome. I would like this to become a useful execution layer for Felix’s existing roadmap and for the stabilization work people are already discussing here.

[RaresKeY]

Adding five more live PRs that look worth a Stabilization first pass. This is still candidate routing, not a merge/readiness decision; each should be re-checked against current dev, CI, and overlap before review action.

Security / trust boundaries

• fix(agent): scope skill index to owner to prevent cross-user prompt leak #2404 - owner-scopes the agent skill index so one user's skills are not injected into another user's prompt. Narrow patch, regression test included.
• fix(security): don't grant tool access in the pre-setup window #3506 - keeps bash/python/admin tools blocked in the pre-setup window while preserving AUTH_ENABLED=false single-user behavior. Narrow security-boundary patch.

Auth / owner state / data integrity

• fix(auth): eliminate session orphan-drop and DB/auth skew on user rename #3539 - fixes user-rename session orphan/drop and DB/auth skew. Strong stabilization fit, but should be reviewed with fix(auth): sync file-backed and in-memory owner caches on user rename #3397 / User renaming looses chat history and data leak #3362 overlap in mind.
• fix(auth): sync file-backed and in-memory owner caches on user rename #3397 - syncs non-SQL owner stores on user rename: active sessions, deep research JSON, and memory JSON. Strong fit, but needs careful ordering/race review and overlap check with fix(auth): eliminate session orphan-drop and DB/auth skew on user rename #3539.

Provider / degraded-state / data preservation

• fix(embeddings): survive numpy embeddings when restoring a reset lane #3410 - restores reset embedding lanes when Chroma returns numpy embeddings. Smaller risk than the auth/security items, but narrow and useful as a provider/degraded-state stabilization fix.

Suggested handling: review #2404 and #3506 first as narrow security-boundary fixes, review #3539 and #3397 together because they overlap on rename behavior, and keep #3410 as a focused high-value stabilization follow-up.

[RaresKeY]

• Stabilization: slow down risky merges with clear PR review rules #3694 — clear PR review rules for risky merges; fits Stabilization v1 because it defines when latest commits need re-review, when risky areas need independent review, and what merge owners should check before merge. Status: open issue; needs maintainer direction.

  Related: review process #2872, #2487, #2528; review template #3126, #3128; ownership/CI #593, #2288; current example #3397.

[jongan69]

I agree

I started #3400

Odysseus now has a react native app that control the models remotely

But Codex went crazy with commits so the PR is honestly way too big and needs to be split up

The good news is the mobile app works and can functionally prompt Odysseus over tailscale remotely

But yes coordination for stability is priority. If any small / low hanging fruits are around I'll try to be on top of it the best I can

[RaresKeY]

Adding this as a priority Stabilization v1 item, not just as four standalone bugfix candidates.

I opened these four fixes after inspecting merged PRs and prior commits, then checking whether the behavior still reproduced on current dev. The deterministic audit lane started from 70 quick open-to-merge merged PRs; that pass currently has 55 source-backed follow-up bug notes tied to those candidates across priorities. Counted another way, 48 of the 70 candidate merges have at least one tracked follow-up bug note, about 69%.

That is useful cleanup work, but it is not the workflow we should rely on. These fixes are concrete examples of why #3694 should be part of Stabilization v1: risky areas need clearer review/merge rules so fewer auth, owner-scope, token, and trust-boundary bugs are found only after merge.

cc @pewdiepie-archdaemon @lalalune @vdmkenny @NicholaiVogel @Michiel-VandeVelde @Bandonker @mikaelaldy @vcscsvcscs @alteixeira20 @nopoz @crazyjackel because this overlaps maintainer-owned merge policy, #2528 coordination, and the Stabilization v1 milestone shape.

Security / auth / owner boundaries

• #3718 closes #3717 — HW Fit remote SSH target validation. Related: #3306. Status: open PR, CI passing.
• #3724 closes #3723 — owner-scopes learned email sender signatures. Related: #2695. Status: open PR, CI passing.
• #3727 closes #3726 — drops persisted reserved usernames on auth load. Related: #2867. Status: open PR, CI passing.
• #3733 closes #3732 — fails closed when user API-token purge cannot complete. Related: #2864. Status: open PR, CI passing.

Suggested Stabilization v1 handling:

• treat Stabilization: slow down risky merges with clear PR review rules #3694 as the process item that should govern this class of work;
• triage these four PRs as narrow security/auth/owner-boundary stabilization fixes;
• use the post-merge audit results as evidence that quick merges in risky areas need a clearer review bar, not as a blame list.

[alteixeira20]

Thanks @RaresKeY for the curated log and extensive research, it's highly appreciated, I'll be taking a closer look tomorrow as soon as I get the chance, great work!

[RaresKeY]

• [Proposal]: CODEOWNERS 🗳️ #593 — CODEOWNERS / review-routing decision. This now looks like a Stabilization candidate because the current all-files Code Owner gate is affecting reviewed/CI-green PR flow, not just future governance cleanup. Related: Stabilization: slow down risky merges with clear PR review rules #3694, Proposal: CI baseline (correctness + security) gate for the repo #2288, ci: security scanning suite and governance (consolidates #305-310) #1314, chore(ci): narrow CODEOWNERS to critical paths #4046. Status: open issue; chore(ci): narrow CODEOWNERS to critical paths #4046 is a draft narrow implementation path, but the direction still needs maintainer decision before treating it as accepted.

[RaresKeY]

@alteixeira20 could you take a look at #593 itself when you have a chance? It is now about how CODEOWNERS should be shaped for merge routing, not just future governance cleanup. I’d value your take on the issue before #4046 goes beyond draft.

[jongan69]

Follow-up on my earlier note here so my current mobile/companion work is aligned with the Stabilization v1 framing:

• feat(companion): implement backend-only chat scope and command contract #3400 has since been condensed into a backend-only companion contract/security PR. I do not want that PR reviewed as a broad mobile feature push.
• The separate React Native/TestFlight app stays outside the core repo and outside the Stabilization v1 milestone lane.
• Discussion Odysseus mobile companion app: React Native, private pairing, and App Store path #3403 is the separate client/distribution/App Store track, not my proposed stabilization item.
• Discussion Feature discussion: first-class Pursue Goal mode for long-running agent work #3585 is longer-term core feature planning for a durable goal runner, not my proposed Stabilization v1 candidate.

If maintainers think any part of my current work belongs in Stabilization v1, I think the fit is the narrow backend slice in #3400:

• chat scope and owner-attribution enforcement
• signed-command trust boundaries
• pairing/manifest/session docs and tests that make review safer

That seems consistent with the stabilization thread's focus on trust boundaries, docs/tests, and small reviewable slices rather than broad new product scope.

[RaresKeY]

• Issue buckets: parent trackers, child issues, and PR candidates #4415

[RaresKeY]

Storage / owner integrity

• storage(security): data/app.db is world-readable; chmod 0600 (Rule B prerequisite) #4407 — app.db file-mode hardening. Small security prerequisite: the main DB can be created world-readable depending on umask, while it stores auth/session/provider material. Worth routing under the storage/security tracker.
• storage(integrity): audit & route non-manager direct-disk accessors before migration (Rule A) #4408 — direct-disk accessor audit before storage migration. This is a good source-of-truth prerequisite: find the paths that bypass the manager layer before moving more state into shared storage.
• auth(integrity): make rename_user ownership fan-out atomic / single-source #4410 — rename_user owner fan-out should be atomic/single-source. This looks important because partial SQL/file/JSON ownership rewrites can split user-owned state.
• storage(config): shared config table + secret-encryption convention (UC-28 anchor) #4413 — shared config table and secret-encryption convention. Useful as a storage/config anchor before moving scattered JSON settings and secret-adjacent config.

Tests / CI hardening

• tests: split embedding lane tests into focused files #4385 / test: split embedding lane tests #4389 — split embedding lane tests into focused files. Open PR has passing checks and looks like a narrow test-organization slice.
• tests: split provider classification tests into focused files #4390 / test: split provider classification tests #4392 — split provider classification tests into focused files. Same shape: narrow, test-only, easier to review as an independent cleanup.
• Order-dependent failure: test_skill_index_prompt_injection leaks a stub routes.prefs_routes into sys.modules #4386 / test: stop test_skill_index_prompt_injection leaking a stub prefs_routes #4387 — fix order-dependent leakage from test_skill_index_prompt_injection. Good because it removes hidden test pollution from sys.modules.
• Windows compatibility failures in local test suite #4287 / fix(tests): resolve Windows compatibility failures in test suite #4286 — Windows local test-suite compatibility fixes. Useful platform-stability candidate with passing checks.

Runtime / user-facing stabilization

• bug(cookbook): Cookbook fails to open when a task has a diagnosis — ReferenceError: body is not defined in _showDiagnosis #4406 / fix(cookbook): use diag element instead of undefined body in _showDiagnosis #4416 — Cookbook fails to open when a saved task has a diagnosis because _showDiagnosis references an undefined body. Narrow user-facing bug and narrow fix, checks passing.
• Creating a document without a chat sends a POST /api/session that never succeeds #4382 / fix(documents): use FormData for session creation in document library #4393 — document creation without a chat sends a session-create request that never succeeds. Narrow document-library fix, checks passing.
• Tasks runner cannot use bash/python tools even when user is admin #4163 / fix(tasks): offer shell/file tools to scheduled task agents by default #4398 — scheduled tasks cannot use shell/file tools even for an admin owner. The issue looks important, but the PR touches tool access, so I would route it as security/tool-boundary-sensitive review rather than casual merge queue work.
• Chat stream stops after model_info event when web search is enabled (local Cookbook/llama.cpp model) #4102 / fix(llm): prevent stream hang with web search on local models (#4102) #4233 — local-model web-search stream hang after model_info. The issue is worth keeping visible, but the linked PR currently has requested changes/failing checks, so I would treat it as problem tracking first, PR second.

Review workflow

• Automated PR screenshots/videos? #4376 — automated screenshots/videos for UI-facing PRs. This is a discussion, not a merge candidate, but it may be useful for review quality if the project wants more visual evidence on UI changes.