DeepTutor v1.4.1 Release Notes
Release Date: 2026.05.27
v1.4.1 is a security and stability patch on v1.4.0. It locks down
the TutorBot tool sandbox, isolates per-user resources, fixes a v1.4.0 chat
regression, adds an HTTP API for talking to a specific TutorBot, and ships a
multimodal image-fallback fix for providers DeepTutor has no vision entry for.
What's New
TutorBot Tool Sandbox Is Opt-In
The shell exec tool is no longer registered unless an admin sets
allow_shell_exec, and all filesystem + shell access is confined to the bot
workspace by default. Command deny-lists were re-anchored at command
boundaries, and allow_shell_exec can't be flipped on via the update payload.
Per-User Resource Isolation
Book roots, session databases, turn-runtime stores, and TutorBot directories
are scoped per user, and web/API conversations are keyed per session — so
cross-user requests can't reach each other's data.
HTTP / SSE API For A TutorBot
New POST /{bot_id}/chat and /chat/execute-stream (SSE) endpoints with
auto-start and persistent per-session context, for multi-turn conversations
with a specific bot from external clients.
Multimodal Image Fallback
Images are sent optimistically to every provider; if a request carrying images
fails and the model isn't in the known-vision allowlist, the turn retries
text-only. Fixes silently dropped images on Doubao / VolcEngine and other
multimodal models that lack a capability entry.
Safe ZIP Upload + Network Settings
.zip knowledge uploads expand member-by-member through the document validator
with size / count / compression-ratio bounds and path-escape guards; the
archive itself is never indexed. A new /settings/network page surfaces ports,
public API base, and CORS origins (normalized to tolerate host:port and
trailing slashes), plus a "fetch models" action listing model IDs from an
OpenAI-compatible endpoint.
Community Fixes & Changes
Security — closed TutorBot RCE via the shell tool (#518), path traversal in
the filesystem tool (#517), cross-bot file-management authz bypass (#516),
cross-session turn-regeneration authz bypass (#515), book-confirmation authz
bypass (#514), and ExecTool executing LLM shell commands over chat (#506,
first hardened in PR #507).
Bug fixes — chat input disabled after the first turn (v1.4.0 regression,
#520), knowledge-base embedding failure on long documents (#521 / PR #509),
new users unable to create a profile under Docker (#512 / PR #513), Qwen
reasoning models failing native tool calling (#527 / PR #528), and the GPT-5
init-wizard token parameter (PR #508).
Merged / reworked PRs — native tool calling for reasoning models (#528),
oversized session-event truncation (#524), empty-state profile button (#513),
chunking-pipeline fix (#509), GPT-5 probe (#508), ExecTool hardening (#507).
Contributions #522 (zip upload) and #523 (model fetching + notebook lookup)
were reimplemented locally and ship here.
Feature request — HTTP API for multi-turn chat with a specific TutorBot
(#511).
Upgrade Notes
- Drop-in from v1.4.0:
pip install -U deeptutor; Docker users pull
ghcr.io/hkuds/deeptutor:latest. - TutorBot shell exec is now disabled by default. If you relied on it, set
allow_shell_execon the bot; tool access stays confined to the workspace. - For cross-site HTTPS auth, set explicit CORS origins and
cookie_secure=true.
What's Changed
- fix(settings): add profile button when no profiles exist by @wedone in #513
- Fix GPT-5 token limit parameter in init wizard probe by @lezhimiffyliu in #508
- fix(security): harden ExecTool defaults against command injection (#506) by @kagura-agent in #507
- fix: prevent Document nodes from bypassing chunking pipeline by @washi4 in #509
- feat: truncate oversized event payloads in session response by @xiongjnu in #524
- fix(chat): enable native tool calling for reasoning models via OpenAI-compatible endpoints by @wedone in #528
New Contributors
- @lezhimiffyliu made their first contribution in #508
- @washi4 made their first contribution in #509
- @xiongjnu made their first contribution in #524
Full Changelog: v1.4.0...v1.4.1