π nanobot v0.1.4.post6 is here β 57 PRs merged, 27 new contributors, and a release that's less about adding surface area than about rethinking what's underneath.
Some releases are about what you can do. This one is about how cleanly you can do it. The agent runtime got formally decomposed, a major dependency was removed, streaming went end-to-end, and a security vulnerability was closed. Beneath the feature work, v0.1.4.post6 is a structural turning point β the kind of release that makes the next release possible.
Highlights
-
The agent runtime was decomposed into composable pieces β A shared
AgentRunnerwas extracted, lifecycle hooks were unified into a formalHookContext, and subagent progress is now preserved even on failure. Command routing was refactored into a plugin-friendly structure, andprocess_directwas unified to returnOutboundMessageconsistently. This isn't just cleanup β it's the foundation for pluggable agent behaviors, custom execution strategies, and third-party lifecycle integrations that are coming next. (#2524, #2541, #2388, #2338) -
litellm was replaced with native OpenAI + Anthropic SDKs β The entire provider layer was rewritten to talk directly to upstream SDKs instead of routing through litellm. Prompt cache optimization for Anthropic, proper
max_completion_tokenshandling for OpenAI o1, and Gemini thought signature preservation all came along for the ride. If you've ever debugged a litellm traceback at 2am, you understand why this matters. (#2448, #1109, #2468, #2550, #2453) -
Streaming went end-to-end β From provider to channel to CLI, streaming output now flows as a first-class path. Feishu gained CardKit streaming support, queued stream deltas are coalesced to reduce API calls, and the channel manager handles stream boundaries correctly. This is the difference between "the bot is typing..." and actually watching it think. (#2365, #2545, #2497)
-
A security vulnerability was patched β Email injection and spoofing via missing authentication verification has been fixed. Inbound emails now verify SPF/DKIM through
Authentication-Resultsheaders, withverify_dkimandverify_spfenabled by default. Email content is tagged with[EMAIL-CONTEXT]to prevent LLM prompt injection from email bodies. See the advisory for details. (GHSA-4gmr-2vc8-7qh3) -
WeChat support landed as a full channel β WeChat (Weixin) joined the channel family with HTTP long-poll, QR code login, and plugin 1.0.3 compatibility. Alongside it, Telegram, QQ, WhatsApp, and Feishu all received cross-channel enhancements including retry mechanisms with exponential backoff. (#2412, #2428, #2386, #2478)
-
Provider coverage kept expanding β Mistral and OVMS providers arrived, Step Fun (ιΆθ·ζθΎ°) joined the ecosystem, and custom provider error reporting got much more honest β raw API errors instead of opaque
JSONDecodeError. nanobot continues to meet users wherever their models live. (#2199, #2472, #2289, #2139) -
The agent got smarter about resources β Per-session concurrent dispatch landed, native multimodal sensory capabilities were added, token estimation now counts all message fields, and memory consolidation properly reserves completion headroom. The agent loop also handles
CancelledErrorgracefully and records subagent results with correct roles. (#2393, #2304, #2344, #2378, #2239, #2104) -
Feishu and Telegram both leveled up β Feishu gained streaming cards, code block parsing in post messages, and fixes for markdown rendering and media types. Telegram got HTTP(S) URL media support, separated connection pools to prevent pool exhaustion, and quieter network error logging. Small individually, substantial together. (#2545, #2246, #1814, #1755, #1793, #2247, #2272)
-
CLI and onboarding became more capable β A full-featured onboard wizard arrived,
--direnables multiple instances,/statusshows runtime info,-hworks everywhere, and timezone is now configurable. The kind of polish that makes first-run experience feel intentional. (#2101, #1763, #1985, #2123, #2477, #1136, #2266) -
Infrastructure hardened across the board β Zombie processes are reaped on shell timeout, cron job stores are scoped to workspaces, MCP tool schemas handle nullable params correctly, Docker builds include openssh-client, and the test suite was reorganized into a cleaner structure. The kind of work that prevents the bug report you'd otherwise file next month. (#2362, #2204, #2230, #2287, #1911, #2427, #2367)
Community
A warm welcome to our 27 new contributors in this release.
v0.1.4.post6 is shaped by a belief that the most important work in open source isn't always the most visible. Replacing a core dependency, decomposing a runtime, closing a security hole β none of these make for flashy demos, but all of them make nanobot a project you can build on with more confidence tomorrow than yesterday. Thank you to everyone who contributed code, fixes, docs, and ideas. The foundation is getting stronger.
Full Changelog: v0.1.4.post5...v0.1.4.post6
What's Changed
- fixοΌWorkspace path in onboard command ignores config setting by @danielyangfei in #1136
- feat: add --dir option to onboard command for Multiple Instances by @skiyo in #1763
- fix(providers): handle empty choices in custom provider response by @JiajunBernoulli in #2139
- feat(slack): update reaction emoji on task completion by @sihyeonn in #1852
- fix(feishu): fix markdown rendering issues in headings and tables by @xgzlucario in #1814
- fix(feishu): use correct msg_type for audio/video files by @weipengOO98 in #1755
- fix: preserve image paths in fallback and session history by @Re-bin in #2165
- docs(readme): fix broken link to Channel Plugin Guide by @angleyanalbedo in #2040
- fix:subagent result messages incorrectly recorded as user role by @yorkhellen in #2104
- fix(cron): show schedule details and run state in _list_jobs() output by @pjhoberman in #2107
- logo: transparent background by @vivganes in #1647
- fix: When using custom_provider, a prompt "LiteLLM:WARNING" will still appear during conversation by @JavisPeng in #2191
- feat(telegram): support HTTP(S) URLs for media in TelegramChannel by @h4nz4 in #1793
- feat: parse feishu code block content in post message by @mamamiyear in #2246
- fix: separate Telegram connection pools and add timeout retry to prevent pool exhaustion by @Re-bin in #2247
- Fix TypeError for MCP tools with nullable JSON Schema params by @rreben in #2230
- fix: nanobot onboard update config crash by @mamamiyear in #2266
- docs: add subagent workspace assignment hint to spawn tool description by @JilunSun7274 in #2248
- Full-featured onboard wizard![from nightly] by @chengyongru in #2101
- fix(custom_provider): show raw API error instead of JSONDecodeError by @asdf17128 in #2289
- fix(agent): handle asyncio.CancelledError in message loop by @cdkey85 in #2239
- feat(tools): enhance ExecTool with enable flag and custom deny_patterns by @angleyanalbedo in #1824
- feat(cron): add run history tracking for cron jobs by @xzq-xu in #1838
- Add support for -h in the CLI by @JamesWrigley in #2123
- fix: add openssh-client and use HTTPS for GitHub in Docker build by @KEEPSLAMDUNK in #1911
- Harden email IMAP polling retries by @jr551 in #2122
- docs: add github copilot oauth setup and exclude from generated config by @Harvey-Mackie in #2310
- feat(agent): implement native multimodal autonomous sensory capabilities by @vandazia in #2304
- fix: normalize MCP tool schema for OpenAI-compatible providers by @haosenwang1018 in #2287
- feat: add /status command to show runtime info by @robbyczgw-cla in #1985
- refactor(agent): unify process_direct to return OutboundMessage by @Re-bin in #2338
- fix(agent): count all message fields in token estimation by @Re-bin in #2344
- perf: optimize prompt cache hit rate for Anthropic models by @coldxiangyu163 in #1109
- feat: end-to-end streaming output for providers, channels, and CLI by @Re-bin in #2365
- feat(provider): add mistral/ovms provider by @chengyongru in #2199
- fix(memory): reserve completion headroom before token consolidation by @Re-bin in #2378
- Refactor command routing for a plugin-friendly structure by @Re-bin in #2388
- feat(agent): enable per-session concurrent dispatch by @Re-bin in #2393
- fix(shell): reap zombie processes when command timeout kills subprocess by @macroadster in #2362
- fix(heartbeat): retain bounded legal session suffix by @Re-bin in #2413
- feat(wechat): support wechat channel by @chengyongru in #2412
- fix(cron): scope cron job store to workspace directory by @MiguelPF in #2204
- feat: telegram/qq/whatsapp/feishu enhancement by @chengyongru in #2386
- proposal to adopt mypy some e.g. interfaces problems by @19emtuck in #2367
- refactor(tests): optimize unit test structure by @chengyongru in #2427
- refactor: replace litellm with native openai + anthropic SDKs by @Re-bin in #2448
- Fix/Feat(WeiXin): Adapt to WeChat plugin 1.0.3 by @xcosmosbox in #2428
- Unintended Discord behaviour with Threads by @Seeratul in #2452
- fix: preserve Gemini thought signatures in tool calls by @yoheinishikubo in #2453
- fix(providers): add max_completion_tokens for openai o1 compatibility (backport to main) by @flobo3 in #2468
- feat(config): add configurable timezone for runtime context by @Re-bin in #2477
- feat(channel): add message send retry mechanism with exponential backoff by @chengyongru in #2478
- feat(provider): add Step Fun (ιΆθ·ζθΎ°) provider support by @ZouR-Ma in #2472
- refactor: extract shared agent runner and preserve subagent progress on failure by @Re-bin in #2524
- refactor: unify agent runner lifecycle hooks by @Re-bin in #2541
- fix(providers): make max_tokens and max_completion_tokens mutually exclusive (#2491) by @chengyongru in #2550
- fix(channel): coalesce queued stream deltas to reduce API calls by @chengyongru in #2497
- feat(feishu): support stream output (cardkit) (#2382) by @chengyongru in #2545
- fix(telegram): log network errors as warnings without stacktrace by @flobo3 in #2272
New Contributors
- @danielyangfei made their first contribution in #1136
- @skiyo made their first contribution in #1763
- @sihyeonn made their first contribution in #1852
- @xgzlucario made their first contribution in #1814
- @weipengOO98 made their first contribution in #1755
- @angleyanalbedo made their first contribution in #2040
- @pjhoberman made their first contribution in #2107
- @JavisPeng made their first contribution in #2191
- @h4nz4 made their first contribution in #1793
- @mamamiyear made their first contribution in #2246
- @rreben made their first contribution in #2230
- @JilunSun7274 made their first contribution in #2248
- @cdkey85 made their first contribution in #2239
- @JamesWrigley made their first contribution in #2123
- @KEEPSLAMDUNK made their first contribution in #1911
- @jr551 made their first contribution in #2122
- @Harvey-Mackie made their first contribution in #2310
- @vandazia made their first contribution in #2304
- @robbyczgw-cla made their first contribution in #1985
- @macroadster made their first contribution in #2362
- @MiguelPF made their first contribution in #2204
- @19emtuck made their first contribution in #2367
- @xcosmosbox made their first contribution in #2428
- @Seeratul made their first contribution in #2452
- @yoheinishikubo made their first contribution in #2453
- @ZouR-Ma made their first contribution in #2472
Full Changelog: v0.1.4.post5...v0.1.4.post6