v0.5.13

What's new

• Dynamic Telegram channel setup tool — when a user pastes a Telegram bot token in chat, the agent automatically gets a setup_telegram_channel tool injected for that request only. Zero cost on every other message. No skills, no permanent tools, no prompt bloat.
• Calls back to the new POST /agents/channels/setup API endpoint which reuses all existing channel creation logic.

Closes discussion #11 (Telegram bot integration friction).

v0.5.12

Fixes

• Telegram message persistence: fire-and-forget asyncio.create_task() calls were getting garbage collected before completion, causing intermittent message loss. Task references are now held in a _background_tasks set.
• Concurrent message race condition: added per-chat asyncio.Lock to serialize webhook processing per chat_id, preventing context dict overwrites when the same user sends multiple messages quickly.

Security

• Webhook secret verification: supports X-Telegram-Bot-Api-Secret-Token header check when webhook_secret is configured in the channel config.

Cleanup

• Removed dead code (_get_channel_for_token)

v0.5.11

feat: configurable max_turns via MAX_TURNS env var (default 25)

v0.5.10

Fixes

• uv fallback to pip: Upgrade handler now falls back to pip install on older sprite images that don't have uv installed
• pipefail error detection: set -o pipefail prevents silent install failures masked by shell pipelines
• PATH in version check: Version verification command now exports PATH to find packages in ~/.local/bin
• Exit code validation: Non-zero pip/uv exit codes are now caught and logged instead of silently ignored

Found during batch upgrade of 150 agents across 3 batches.

v0.5.9

Fix: Memory/embedding 401 — api_key not read from env vars

Root cause: memory_engine.py read api_key from config.json, but config_builder passes sensitive fields via env vars only (TERMO_API_KEY). The key was always empty, causing 401 on every embedding call.

Changes

• Read TERMO_API_KEY and TERMO_API_BASE from env vars first, falling back to config.json

v0.5.8

Fix: Embedding calls failing with 403

Root cause: TermoEmbeddingFunction and the memory extraction call were missing the X-Agent-Id header required by the LLM proxy since the security hardening. All embedding requests were silently rejected, breaking ChromaDB semantic memory.

Changes

• Add X-Agent-Id header to TermoEmbeddingFunction in memory_engine.py
• Add X-Agent-Id header to memory extraction urllib call in platform_adapter.py
• Both read from TERMO_AGENT_ID env var (already set on all Sprite VMs)

Deploy

Trigger runtime upgrade on running agents to pick up this fix.

v0.5.7

Fixed

• App proxy is now a catch-all fallback instead of /app/ prefix — Vite, Next.js, and other dev servers that load assets from root-relative paths now work correctly
• Added is_public_request() hook to AgentAdapter for dynamic auth bypass (catch-all proxy is public when .app_port exists)

v0.5.6

New

• run_app tool — agents start long-running services via sprite-env services create, with auto-restart and optional public URL routing via /app/
• /app/* reverse proxy — proxies to localhost port specified in run_app(port=...)
• GET /api/apps — list running user apps (excludes reserved services)
• DELETE /api/apps/{name} — stop and delete a user app

Changed

• Background process patterns (&, nohup, setsid, disown) are now blocked in execute_command with a message pointing to run_app

v0.5.5

Persist actual Telegram tool-sent messages to DB for web UI visibility

v0.5.4

Read api_key and api_base from TERMO_API_KEY/TERMO_API_BASE env vars instead of config.json. Falls back to config for backwards compatibility.