v0.18.2

What's Changed

• fix(skills): prevent low-confidence skill injection (#2512, #2513, #2501) by @bug-ops in #2517
• fix(security): reclassify search_code as ToolResult, add PII NER input truncation by @bug-ops in #2518
• fix(memory): configurable SA timeout, tier promotion retry, orphan cleanup by @bug-ops in #2519
• feat(memory): wire StoreRoutingConfig and goal_text into memory recall path (#2484, #2483) by @bug-ops in #2520
• feat(tools): structured shell output envelope and per-path read sandbox by @bug-ops in #2528
• feat(mcp): MCP Elicitation support (#2486) by @bug-ops in #2521
• fix(mcp): bound elicitation channel, warn on sensitive fields (#2524, #2523) by @bug-ops in #2530
• feat(tools): document and configure [tools.file] read sandbox by @bug-ops in #2532
• feat(core): reactive hook events for CwdChanged and FileChanged (#2487) by @bug-ops in #2531
• feat(security): MCP/A2A security hardening — tool collision detection, SMCP lifecycle, IBCT tokens by @bug-ops in #2533
• fix(memory): soft-delete orphaned messages with legacy-only tool content by @bug-ops in #2534
• fix(tools): propagate claim_source in gate audit and detect relative paths by @bug-ops in #2539
• fix(classifiers): PII NER allowlist for false positives and metal feature documentation by @bug-ops in #2541
• refactor(zeph-llm): remove dead ModelOrchestrator in favour of RouterProvider by @bug-ops in #2546
• feat(mcp): elicitation during tool execution (phase 2) by @bug-ops in #2545
• fix(mcp): drain elicitation_rx concurrently in run_inline_tool_loop by @bug-ops in #2548
• release: v0.18.2 by @bug-ops in #2547

Full Changelog: v0.18.1...v0.18.2

v0.18.1

What's Changed

• fix(memory,llm): correct BFS ESCAPE clause and persist bandit state (#2393, #2394) by @bug-ops in #2395
• fix(classifiers): use Metal/CUDA device when available in candle classifiers by @bug-ops in #2399
• fix(memory): consolidation prompt isolation, Update in-place semantics, concurrent embeddings by @bug-ops in #2400
• feat(skills): semantic confusability mitigation — category grouping, two-stage matching (#2268) by @bug-ops in #2402
• fix(classifiers,core): sha2 0.11 hex format + catch_unwind for RuntimeLayer hooks by @bug-ops in #2405
• fix(skills): wire two_stage_matching and confusability_threshold at startup; migrate legacy bundled skills by @bug-ops in #2410
• feat(acp): update agent-client-protocol 0.10.2→0.10.3, schema 0.11.2→0.11.3 by @bug-ops in #2423
• feat(acp): implement session/close handler and capability advertisement by @bug-ops in #2429
• fix(memory,core): eliminate Qdrant upsert timing race and add RuntimeLayer tests by @bug-ops in #2430
• fix(acp): populate authMethods, add /agent.json endpoint, eliminate IPI duplication by @bug-ops in #2431
• feat(security): MCP→ACP confused-deputy boundary enforcement and security model audit by @bug-ops in #2436
• chore(deps): update github-actions by @bug-ops in #2439
• fix(security): extend MCP env var blocklist and fix audit logger silent drop by @bug-ops in #2446
• feat(memory): ACON category guidelines, Memex tool archive, RL admission control by @bug-ops in #2440
• fix(security): scrub credential env vars from ShellExecutor subprocess environment by @bug-ops in #2452
• feat(acp): expose current model in SessionInfoUpdate and session/list (#2435) by @bug-ops in #2453
• feat(mcp): implement MCP Roots protocol and cap tool descriptions (#2445, #2450) by @bug-ops in #2454
• feat(tools): adversarial policy agent — pre-execution LLM validation of tool calls by @bug-ops in #2457
• security(mcp): harden validate_roots() and truncate_instructions() by @bug-ops in #2458
• feat(core): /new command — reset conversation preserving memory and MCP connections by @bug-ops in #2464
• feat(memory): Kumiho belief revision and D-MEM RPE routing for graph memory by @bug-ops in #2465
• feat(routing): BaRP cost_weight dial and MAR memory_hit_confidence signal by @bug-ops in #2466
• feat(tools,orchestration): utility-guided tool dispatch and cascade-aware DAG routing by @bug-ops in #2470
• fix(tools): adversarial policy exempt list and /status display by @bug-ops in #2471
• security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) by @bug-ops in #2472
• feat(tools): transactional ShellExecutor with snapshot+rollback (#2414) by @bug-ops in #2473
• feat(tools): add max_snapshot_bytes limit to transactional ShellExecutor by @bug-ops in #2476
• feat(skills): add ARISE trace evolution, STEM pattern-to-skill, and ERL heuristics by @bug-ops in #2482
• fix(tools): prefer memory_search over search_code for user-provided facts by @bug-ops in #2490
• feat(memory): benchmarking harness, cost-sensitive store routing, goal-conditioned write gate by @bug-ops in #2485
• fix(db): force max_connections=1 for in-memory SQLite pools by @bug-ops in #2491
• release: v0.18.1 by @bug-ops in #2494

Full Changelog: v0.18.0...v0.18.1

v0.18.0

What's Changed

• fix(mcp): make OAuth server connections non-blocking at startup by @bug-ops in #2281
• fix(tui): show per-server MCP connection status in TUI by @bug-ops in #2280
• fix(tools): quote cwd path in sandbox_allows_cwd_by_default test by @bug-ops in #2282
• fix(skills): tighten system_prompt_leak pattern to eliminate false positives by @bug-ops in #2283
• fix(memory): compat deserializer and migration for pre-v0.17.1 MessagePart format by @bug-ops in #2287
• feat(classifiers): implement ClassifierMetrics with p50/p95 latency ring buffer by @bug-ops in #2291
• feat(tools): ClaimSource provenance, ErrorDomain recovery, MCP tool pruning by @bug-ops in #2293
• feat(memory): Acon guidelines provider, session digest, crossover context strategy by @bug-ops in #2309
• feat(security): MCP capability attestation, trust calibration, and injection defense by @bug-ops in #2310
• fix(security): sanitizer classifier 401 and regex false positives by @bug-ops in #2314
• fix(mcp): prune_tools max_tools==0 no-cap, description sanitization, always_include semantics by @bug-ops in #2316
• fix(tools): propagate ClaimSource and ErrorDomain to AuditEntry by @bug-ops in #2319
• fix(a2a): drain stale loopback events (#2302), detect stale PID on startup (#2295) by @bug-ops in #2318
• fix(ci): improve cache hit rate with shared-key and job-level sccache env by @bug-ops in #2324
• fix(mcp): centroid drift resistance and trust score decay persistence (#2311, #2312) by @bug-ops in #2325
• fix(memory): eliminate 255 redundant BPE loads in proptest by @bug-ops in #2327
• fix(a2a): drain output_rx until Flush to prevent response shift (#2326, #2313) by @bug-ops in #2328
• fix(mcp): wire DefaultMcpProber and TrustScoreStore into bootstrap, fix stale delta, add ema_floor validation by @bug-ops in #2330
• feat(mcp): per-message caching for prune_tools, integration tests by @bug-ops in #2333
• fix(a2a): add configurable drain timeout to guard against indefinite block by @bug-ops in #2337
• fix(mcp): wire EmbeddingAnomalyGuard into McpManager by @bug-ops in #2336
• feat(security): AEGIS pre-execution firewall, A2A auth identity, dual-threshold classifier by @bug-ops in #2338
• fix(channels): handle /reset as builtin command, fix long_output e2e timeout by @bug-ops in #2344
• feat(mcp): embedding-based semantic tool discovery (#2321) by @bug-ops in #2342
• feat(orchestration): activate VMAO verify-completeness in PlanVerifier by @bug-ops in #2346
• feat(skills): SAGE RL reward signal, trust governance, SkillsBench constraints by @bug-ops in #2348
• fix(telegram): split long streaming responses and reduce edit throttle by @bug-ops in #2349
• fix(tools): write AuditEntry for pre-execution verifier blocks (#2343) by @bug-ops in #2350
• feat(tools): tool invocation phase taxonomy and reasoning model hallucination detection by @bug-ops in #2354
• feat(memory): MemScene consolidation, compress_context tool, A-MAC admission control by @bug-ops in #2355
• feat(memory): All-Mem consolidation, MAGMA edge weights, RuntimeLayer hooks by @bug-ops in #2358
• fix(tools): wire reasoning model detection and compress_provider into agent by @bug-ops in #2367
• fix(classifiers): pass vb.pp("deberta") at DeBERTa model load sites (#2353) by @bug-ops in #2368
• feat(security): IPI defense — DeBERTa soft-signal, three-class AlignSentinel, TurnCausalAnalyzer by @bug-ops in #2369
• feat(db): introduce zeph-db crate with database abstraction layer (Phase 1, SQLite) by @bug-ops in #2371
• feat(db): Phase 2 PostgreSQL backend for zeph-db by @bug-ops in #2372
• ci: run zeph-db postgres integration tests with testcontainers by @bug-ops in #2373
• feat(db): Phase 3 — init wizard, migrate-config, zeph db migrate CLI, CI postgres build by @bug-ops in #2379
• audit(docker): add all missing ZEPH_* env vars to compose files by @bug-ops in #2382
• fix(context): prevent orphaned tool results in MemoryFirst drain by @bug-ops in #2380
• feat(tui): interactive subagent sidebar and transcript viewer (#2376) by @bug-ops in #2381
• test(memory): add rollback and orchestration tests for consolidation by @bug-ops in #2383
• feat(postgres): fix call sites and add tests for postgres build by @bug-ops in #2384
• feat(llm): PILOT LinUCB bandit routing strategy with SLM subsystem audit by @bug-ops in #2390
• feat(db): complete database abstraction layer — eliminate sqlx leaks, fix dynamic queries, security hardening by @bug-ops in #2392
• release: v0.18.0 by @bug-ops in #2391

Full Changelog: v0.17.1...v0.18.0

v0.17.1

What's Changed

• fix(config): add [security.guardrail] stub to default.toml for migrate-config by @bug-ops in #2161
• feat(tui): Phase 1 dynamic metrics — model info, session config, infra status by @bug-ops in #2159
• feat(tui): Phase 2 dynamic metrics — compaction/STT models, inference params, test coverage by @bug-ops in #2162
• fix(memory): WAL checkpoint after FTS5 entity inserts — fix cross-session SYNAPSE seeds=0 by @bug-ops in #2168
• fix(deps): update astral-tokio-tar to 0.6.0 by @bug-ops in #2171
• fix(llm): delegate embed() to tier providers in TriageRouter (#2174) by @bug-ops in #2176
• fix(core,mcp): provider display name and MCP injection false positive by @bug-ops in #2177
• feat(config): unify STT provider under [[llm.providers]] with stt_model field by @bug-ops in #2179
• feat(memory): structured compaction probe categories (#2164) by @bug-ops in #2181
• feat(memory): hybrid SYNAPSE seed selection and A-MEM link weight evolution (#2167, #2163) by @bug-ops in #2182
• feat(orchestration): topology-aware scheduling and GAP parallel annotations by @bug-ops in #2183
• feat(orchestration): add planner_provider field to OrchestrationConfig by @bug-ops in #2184
• fix(llm): add missing MessageMetadata import in candle_provider test module (#2189) by @bug-ops in #2195
• feat(skills): add browser and os-automation bundled skills by @bug-ops in #2196
• fix(core): defer self-reflection to prevent orphaned tool_use blocks by @bug-ops in #2205
• feat(classifiers): Candle-backed injection classifier infrastructure (#2185) by @bug-ops in #2198
• fix(security): add URL grounding gate to prevent fetch hallucination (#2191) by @bug-ops in #2209
• test(classifiers): add unit tests and benchmarks for CandleClassifier (#2190) by @bug-ops in #2212
• feat(mcp): upgrade rmcp 1.2→1.3, add per-server trust level and tool allowlist by @bug-ops in #2213
• feat(tools): add structured tool error taxonomy with retry engine by @bug-ops in #2214
• fix(memory): reject self-loop edges in graph extractor by @bug-ops in #2221
• feat(classifiers): add DetectorMode::Model and CandleNerClassifier (#2210, #2211) by @bug-ops in #2227
• feat(tools): shell exit-code taxonomy and FailureKind integration by @bug-ops in #2226
• feat(orchestration): AdaptOrch topology-routing and Plan-Execute-Verify-Replan (#2219, #2202) by @bug-ops in #2235
• fix(llm): correct triage routing debug dump and remove context bias by @bug-ops in #2244
• fix(tools): repair Phase 2 transient retry and fix retryable feedback (#2223, #2222) by @bug-ops in #2245
• feat(classifiers): Phase 2 — PII detection and LlmClassifier for feedback (#2200) by @bug-ops in #2251
• fix(skills): decouple embedding provider from conversational provider (#2225) by @bug-ops in #2255
• fix(memory): flush orphaned tool_use DB rows after deferred summarization by @bug-ops in #2256
• test(orchestration): add DagScheduler tests for inject_tasks caps and LevelBarrier dispatch by @bug-ops in #2260
• fix(orchestration): harden PlanVerifier against misconfiguration and injection (#2238, #2239, #2240) by @bug-ops in #2264
• fix(classifiers): correct [CLS]/[SEP] framing for all NER chunks and wire regex+NER union merge by @bug-ops in #2258
• fix(skills): include managed_dir in build_registry and wire FaultCategory enum path by @bug-ops in #2265
• fix(orchestration): graceful drain on channel close, max_parallel drift, toposort 3-4x by @bug-ops in #2263
• fix(memory): use MessagePart::Summary for summary serialization (#2257) by @bug-ops in #2271
• fix(skills): suppress false-positive injection WARN for bundled skills by @bug-ops in #2273
• release: v0.17.1 by @bug-ops in #2275

Full Changelog: v0.17.0...v0.17.1

v0.17.0

What's Changed

• fix(skills): convert unsupported >- block scalar modifier to > in all skill files by @bug-ops in #2088
• feat(skills): auto-provision bundled skills to managed dir on startup by @bug-ops in #2090
• feat(router): RAPS Bayesian reputation scoring (#1886) by @bug-ops in #2091
• feat(memory): AOI three-layer hierarchical memory architecture by @bug-ops in #2092
• test(config): add similarity_threshold upper-bound validation test in PlanCacheConfig by @bug-ops in #2096
• test(memory): add unit tests for SqliteStore tier DB methods by @bug-ops in #2097
• docs: remove dead feature gate references by @bug-ops in #2103
• fix(memory): use source conversation_id in AOI tier promotion by @bug-ops in #2105
• chore(testing): add canonical config/testing.toml with provider=router for RAPS coverage by @bug-ops in #2107
• feat(config): promote scheduler and guardrail features to default by @bug-ops in #2106
• chore(llm): remove redundant schema feature gate from zeph-llm by @bug-ops in #2108
• feat(config): enable 8 validated settings by default (#2101) by @bug-ops in #2109
• test(cost): add unit test for max_daily_cents=0 unlimited budget by @bug-ops in #2111
• fix(tui): remove duplicate ToolStart/ToolOutput events in TUI bridge (#2116) by @bug-ops in #2118
• fix(tools): expand ~ in allowed_paths before canonicalization by @bug-ops in #2119
• fix(sidequest): handle ToolResult in rebuild_cursors and apply_eviction by @bug-ops in #2120
• fix(policy): propagate skill trust level to PolicyContext in PolicyGateExecutor by @bug-ops in #2123
• feat(experiments): wire eval_model config field to evaluator construction by @bug-ops in #2124
• test(tools): add FileExecutor allowed_paths integration tests (#2117) by @bug-ops in #2127
• test(channels): add injectable test transport to TelegramChannel by @bug-ops in #2128
• fix(tui): replace streaming chunk append with canonical body_display on ToolOutput (#2126) by @bug-ops in #2129
• fix(tools): normalize .. in resolve_via_ancestors to prevent sandbox bypass by @bug-ops in #2130
• test(channels): add Telethon-based E2E test suite for Telegram channel (#2122) by @bug-ops in #2131
• fix(config): vault token resolution must not auto-create channel configs by @bug-ops in #2133
• feat(security): response verification layer for post-LLM injection detection (#1862) by @bug-ops in #2149
• feat(config): unified [[llm.providers]] schema (#2134) by @bug-ops in #2148
• feat(core): add /provider command for runtime provider switching by @bug-ops in #2150
• feat(llm): complexity-based triage routing for multi-provider pool by @bug-ops in #2153
• release: v0.17.0 by @bug-ops in #2154
• chore(deps): update github-actions by @bug-ops in #2155
• fix(core): use effective_model() fallback in /provider switch by @bug-ops in #2156
• test(core): add unit tests for /provider command handlers by @bug-ops in #2157

Full Changelog: v0.16.1...v0.17.0

v0.16.1

What's Changed

• refactor(epic-1974): improve type safety - CompactionState, BoxFuture, schema helper by @bug-ops in #2014
• refactor(epic-1975): consolidate code duplication across LLM providers and utilities by @bug-ops in #2015
• refactor: remove dead code (epic #1976) by @bug-ops in #2016
• refactor(epic-1977): tighten abstraction boundaries — agent accessors, OpenAI fix, builder warnings by @bug-ops in #2017
• fix(channels): ensure feature parity across all 7 channels (#1978) by @bug-ops in #2018
• ci(nextest): partition unit tests into 4 parallel shards by @bug-ops in #2019
• feat(tools): dynamic tool schema filtering to reduce context waste and improve selection accuracy (#2020) by @bug-ops in #2026
• feat(tools): tool result cache — avoid redundant executions (#1822) by @bug-ops in #2027
• feat(memory): structured anchored summarization for context compression (#1607) by @bug-ops in #2037
• feat(memory): structured anchored summarization for context compression (#1607) by @bug-ops in #2039
• feat(memory): semantic response caching with embedding similarity by @bug-ops in #2029
• feat(tools): Think-Augmented Function Calling for improved parameter accuracy (TAFC, #1861) by @bug-ops in #2038
• refactor(memory): wrap cleanup() in atomic transaction by @bug-ops in #2041
• perf(memory): add expires_at to semantic cache index composite (#2030) by @bug-ops in #2042
• refactor(config): add validation for semantic_cache_threshold by @bug-ops in #2043
• fix(ml): rubato 1.0.1 API upgrade and StreamChunk wrapping (#1858) by @bug-ops in #2044
• test: add corrupted BLOB deserialization test (#2033) by @bug-ops in #2045
• enh(tools): /status reports tool_filter state when enabled (#2028) by @bug-ops in #2051
• feat(memory): compaction probe validation for post-compression context integrity (#1609) by @bug-ops in #2047
• test: add dimension mismatch handling tests for semantic cache by @bug-ops in #2046
• test(memory): add Ollama integration stubs for semantic cache (#2035) by @bug-ops in #2052
• fix(sanitizer): suppress false positives for memory retrieval (Issue #2025) by @bug-ops in #2053
• feat(init): add --init wizard step for compaction probe config (#2048) by @bug-ops in #2054
• feat(tui): add compaction probe metrics to TUI dashboard (#2049) by @bug-ops in #2055
• docs(tools): enable tool_schema_filter testing coverage for #2020 (issue #2040) by @bug-ops in #2056
• Update aws-lc-sys to resolve RUSTSEC-2026-0048 by @bug-ops in #2063
• feat(tools): tool dependency graph for sequential tool availability by @bug-ops in #2059
• feat(memory): write-time importance scoring for improved retrieval by @bug-ops in #2062
• feat(core): add multi-language FeedbackDetector support (#1424) by @bug-ops in #2060
• feat(context): HiAgent subgoal-aware context compaction for long-horizon tasks (#2022) by @bug-ops in #2061
• fix(core): distinguish probe rejection from success in /compact handler (#2058) by @bug-ops in #2064
• fix(sanitizer): classify memory_search tool output as MemoryRetrieval (#2057) by @bug-ops in #2065
• fix(memory): task-aware context pruning critical fixes (#1851) by @bug-ops in #2066
• fix(tests): gate subgoal_extraction_tests on context-compression feature (#2067) by @bug-ops in #2069
• feat(orchestration): plan template caching for LLM planner cost reduction (#1856) by @bug-ops in #2068
• docs: document semantic_cache_max_candidates recall tradeoff by @bug-ops in #2071
• docs: add compaction probe explanation to context-management guide (#2050) by @bug-ops in #2072
• fix(orchestration): wire plan_with_cache into handle_plan_goal (#2070) by @bug-ops in #2074
• fix(scheduler): use explicit execution prefix for scheduled task injection (#2073) by @bug-ops in #2075
• feat(orchestration): MAST-informed handoff hardening — Phase 1 (issue #2023) by @bug-ops in #2076
• feat(memory): MAGMA multi-graph memory with typed edges (issue #1821) by @bug-ops in #2077
• feat(orchestration): implement Phase 2 handoff validation layer (issue #2023) by @bug-ops in #2078
• feat(memory): implement SYNAPSE spreading activation retrieval over entity graph (#1888) by @bug-ops in #2080
• revert(orchestration): remove HandoffContext and validation layer (#2076, #2078) by @bug-ops in #2082
• fix(memory): align MAGMA entity extraction prompt with EntityType enum by @bug-ops in #2083
• docs: comprehensive documentation update for post-v0.16.0 features by @bug-ops in #2085
• release: v0.16.1 by @bug-ops in #2086

Full Changelog: v0.16.0...v0.16.1

v0.16.0

What's Changed

• fix: update config snapshot version to 0.15.3 by @bug-ops in #1953
• fix(memory): detect and recover from Qdrant collection dimension mismatch (#1951) by @bug-ops in #1954
• fix(llm): OpenAI API 400 Bad Request on skill documentation by @bug-ops in #1955
• fix(tests): normalize TOML quote style for cross-platform snapshot consistency by @bug-ops in #1958
• refactor: reorganize workspace dependencies — versions in workspace, features in crates by @bug-ops in #1959
• fix: add clock feature to chrono in zeph-memory by @bug-ops in #1960
• upgrade: agent-client-protocol 0.10.2 — stabilize session management features by @bug-ops in #1961
• refactor: structural code organization — EPIC-01 through 06 by @bug-ops in #1966
• refactor: PR #1966 cleanup — consolidate text, tree-sitter, add README, group Agent fields, add state tests by @bug-ops in #1972
• refactor(epic-1973): Extract config loaders from zeph-core (Phase 1b) by @bug-ops in #2006
• Phase 1c: Extract vault logic into zeph-vault crate (Layer 1) by @bug-ops in #2007
• refactor(epic-1973): Extract experiments logic into zeph-experiments crate (Phase 1d) by @bug-ops in #2008
• refactor(epic-1973): Extract zeph-sanitizer crate from zeph-core (Phase 1e #1981) by @bug-ops in #2009
• refactor(epic-1973): Extract zeph-subagent crate from zeph-core (Phase 1f) by @bug-ops in #2010
• refactor(epic-1973): Extract zeph-orchestration crate from zeph-core (Phase 1g #1979) by @bug-ops in #2012
• release: v0.16.0 by @bug-ops in #2013

Full Changelog: v0.15.3...v0.16.0

v0.15.3

What's Changed

• sec: CodeQL cleartext-logging suppressions and Actions SHA pinning by @bug-ops in #1908
• fix(core): wire Focus Agent and SideQuest config from TOML to agent builder by @bug-ops in #1914
• fix(memory): sync session summaries to Qdrant on compact_context happy path by @bug-ops in #1915
• fix(core): wire corrections write path regardless of LearningConfig::enabled by @bug-ops in #1918
• sec: pin all third-party GitHub Actions to SHA by @bug-ops in #1919
• fix(memory): filter structural noise from graph entity extraction by @bug-ops in #1920
• fix(llm): list_models_remote constructs correct models URL by @bug-ops in #1921
• fix(context-compression): make extract_task_goal fire-and-forget (#1909) by @bug-ops in #1922
• obs(orchestration): track planner/aggregator LLM calls in session metrics (#1899) by @bug-ops in #1925
• fix(tui): clear graph spinner after spawn_graph_extraction by @bug-ops in #1926
• feat(context-compression): add CLI flags, init wizard, debug dumps, TUI spinners (#1904) by @bug-ops in #1928
• enhancement(core): implement functional LearningEngine (#1913) by @bug-ops in #1929
• feat(index): show indexing progress during background code indexing by @bug-ops in #1927
• fix(memory): deduplicate session summaries in Qdrant (#1917) by @bug-ops in #1933
• fix(tui): update graph metrics every turn, not only on extraction by @bug-ops in #1934
• fix(tui): implement send_tool_start in TuiChannel (#1931) by @bug-ops in #1935
• test(memory): add integration tests for store_session_summary → Qdrant upsert roundtrip by @bug-ops in #1936
• feat(mcp): OAuth 2.1 and static Bearer header auth for remote MCP servers by @bug-ops in #1937
• fix(vault): replace blocking_read with block_in_place in ArcAgeVaultProvider by @bug-ops in #1940
• fix(orchestrator): add circuit breaker and chat_with_tools fallback chain by @bug-ops in #1942
• fix(tui): graph metrics panel always showing zero (#1938) by @bug-ops in #1943
• fix(tui): filter metrics always zero in native tool execution path (#1939) by @bug-ops in #1946
• fix(config): add XDG fallback to resolve_config_path for ACP IDE launch context by @bug-ops in #1947
• chore: restructure repo layout — book, scripts, specs by @bug-ops in #1948
• release: v0.15.3 by @bug-ops in #1949

Full Changelog: v0.15.2...v0.15.3

v0.15.2

What's Changed

• fix(debug): trace mode creates empty session dirs and overwrites trace.json (#1814) by @bug-ops in #1819
• fix(memory): recreate Qdrant collections on vector dimension mismatch by @bug-ops in #1820
• fix(memory): pass embedding store to EntityResolver in extract_and_store by @bug-ops in #1827
• fix(core): restore JIT tool reference injection after overflow SQLite migration by @bug-ops in #1826
• test(memory): add missing sanitize_guidelines tests for special-token and role-prefix patterns by @bug-ops in #1830
• refactor(acp): centralize ACP session config wiring by @bug-ops in #1834
• feat(memory,core): session summary on shutdown (#1816) by @bug-ops in #1833
• fix(memory): pass provider to EntityResolver in extract_and_store by @bug-ops in #1836
• feat(memory): add conversation_id to compression_guidelines for per-conversation scoping by @bug-ops in #1835
• fix(llm): strip URL path in parse_host_port for Ollama base_url with /v1 suffix by @bug-ops in #1837
• fix(security): redact secrets and paths in compression_failure_pairs before storage by @bug-ops in #1838
• observability(router): add tracing instrumentation to cascade router by @bug-ops in #1843
• feat(memory): add --compression-guidelines CLI flag by @bug-ops in #1844
• feat(tui): add compression guidelines status line and /guidelines command by @bug-ops in #1848
• deps: upgrade rmcp 0.17 → 1.2 by @bug-ops in #1849
• feat(context): fix soft compaction tier rarely firing (#1828) by @bug-ops in #1857
• refactor(features): replace flat feature list with use-case bundles by @bug-ops in #1859
• fix(security): extend compression_failure_pairs redaction to JWT Bearer tokens by @bug-ops in #1860
• feat(security): declarative policy compiler for tool call authorization by @bug-ops in #1870
• feat(security): LLM-based guardrail pre-screener for prompt injection (#1651) by @bug-ops in #1875
• feat(tools): pre-execution action verification plugin hook in tool pipeline (#1630) by @bug-ops in #1881
• feat(skills): malicious skill trust tier enforcement (#1853) by @bug-ops in #1878
• fix(core): fix overflow prefix validation error in read_overflow tool by @bug-ops in #1882
• fix(policy): remove dead PolicyEffect::AllowIf variant by @bug-ops in #1883
• fix(policy): remove env leak and add --trust-level to /policy check by @bug-ops in #1884
• fix(memory): attempt plain-text fallback when session summary times out (#1869) by @bug-ops in #1887
• fix(policy): accept "shell"/"sh" as aliases for "bash" tool_id in policy rules by @bug-ops in #1891
• fix(security): block MCP tools for quarantined skills (#1876) by @bug-ops in #1892
• sec(policy): add symlink boundary check to load_policy_file() by @bug-ops in #1893
• fix(orchestration): mark non-terminal tasks Canceled on scheduler deadlock (#1879) by @bug-ops in #1894
• test(policy): additional coverage for policy_file loading, MAX_RULES boundary, and confirmed allow path by @bug-ops in #1896
• feat(tools): add --init wizard step for pre-execution verifier config (#1880) by @bug-ops in #1897
• test: audit cleanup — remove duplicates, useless tests, add critical coverage by @bug-ops in #1895
• fix(policy): report correct rule count in /policy status when using policy_file by @bug-ops in #1901
• feat(core): context compression — Focus Agent, SWE-Pruner/COMI, SideQuest (#1850, #1851, #1885) by @bug-ops in #1900
• release: v0.15.2 by @bug-ops in #1902

Full Changelog: v0.15.1...v0.15.2

v0.15.1

What's Changed

• fix(tui): skip ACP stdio autostart and suppress MCP child stderr in TUI mode by @bug-ops in #1730
• refactor(zeph-core): decompose Agent struct and remove anyhow (#1731, #1732) by @bug-ops in #1743
• security(mcp): sanitize MCP tool definitions at registration to prevent tool-poisoning injection by @bug-ops in #1745
• test(llm): add build_request integration test for extended context enabled path by @bug-ops in #1749
• feat(llm): add --extended-context CLI flag for Claude 1M context window by @bug-ops in #1748
• refactor(zeph-core): remove anyhow, replace with typed thiserror errors by @bug-ops in #1750
• feat(llm): implement ClassifierMode::Judge for cascade routing by @bug-ops in #1751
• feat(tui): show extended context mode indicator in status bar by @bug-ops in #1752
• feat(llm): add best-seen response tracking to cascade_chat_stream by @bug-ops in #1753
• refactor: split config/types.rs and semantic.rs into domain modules by @bug-ops in #1756
• refactor(core,tools): box large LoopbackEvent variants and remove async-trait from zeph-tools by @bug-ops in #1757
• fix(llm): skip empty string responses in cascade best-seen tracking by @bug-ops in #1758
• fix(llm): return best_seen when escalations_remaining==0 and should_escalate by @bug-ops in #1759
• test(llm): add missing compaction unit tests by @bug-ops in #1760
• refactor(mcp,core): extract shared injection-detection patterns to avoid drift by @bug-ops in #1761
• security(mcp): implement tools/list_changed refresh path with sanitization by @bug-ops in #1762
• feat(init): add hard_compaction_threshold prompt to --init wizard (#1719) by @bug-ops in #1763
• feat(cost): add gpt-5 and gpt-5-mini to default pricing table by @bug-ops in #1765
• perf(llm): use Arc<[AnyProvider]> in RouterProvider, add cost_tiers config by @bug-ops in #1764
• perf(tools): cache extracted string values in ToolCallDag to avoid double scan by @bug-ops in #1766
• feat(gemini): Phase 4 — SSE streaming tool use (functionCall chunks) by @bug-ops in #1767
• test(core): add COV-04 unit test for channel-close in run_scheduler_loop by @bug-ops in #1768
• feat(core): JIT tool reference injection after pruning (#1740) by @bug-ops in #1771
• feat(memory): temporal versioning on graph memory edges by @bug-ops in #1775
• refactor(core): reduce clippy::too_many_lines suppressions (50 → 11) by @bug-ops in #1779
• fix(memory): add edge_history_limit config field to prevent unbounded results by @bug-ops in #1780
• feat(core): migrate tool overflow storage from disk to SQLite by @bug-ops in #1782
• feat(memory): validate temporal_decay_rate on deserialization by @bug-ops in #1783
• test(memory): add direct unit tests for edges_at_timestamp, edge_history, bfs_at_timestamp by @bug-ops in #1784
• docs: update README and mdBook for post-M33 changes by @bug-ops in #1785
• feat(memory): track trajectory elongation from hard compaction (#1739) by @bug-ops in #1787
• feat(memory): add /graph history command for temporal edge queries by @bug-ops in #1786
• feat(memory): A-MEM dynamic note linking at write time (#1694) by @bug-ops in #1788
• feat(memory): adaptive retrieval dispatch by query type (#1629) by @bug-ops in #1789
• fix(memory): fix inflated edges_created, batch embed/search, add missing tests by @bug-ops in #1795
• feat(security): OWASP AI Agent Security 2026 gap analysis (#1650) by @bug-ops in #1796
• feat(debug): structure debug dumps as OpenTelemetry-compatible traces by @bug-ops in #1797
• feat(memory): failure-driven context compression guidelines (ACON, #1647) by @bug-ops in #1808
• fix(debug): record native tool span startTimeUnixNano before execution by @bug-ops in #1809
• fix(memory): make save_compression_guidelines version bump atomic by @bug-ops in #1810
• release: v0.15.1 by @bug-ops in #1811

Full Changelog: v0.15.0...v0.15.1