github RightNow-AI/openfang v0.5.7
v0.5.7 — Security, Search, and Stability
on GitHub

5 hours ago

Security

  • Argon2id password hashing (#753 by @RamXX) — Dashboard auth now uses Argon2id with random salts instead of plain SHA-256. New openfang auth hash-password CLI command. Startup warning when legacy hash detected. Migration guide in docs.

New Features

  • SearXNG search provider (#920 by @norci) — Self-hosted metasearch with configurable instance URL, category validation, pagination, and noise filtering. Privacy-first alternative to Brave/Tavily.
  • SSRF allowlist — Self-hosted K8s users can now configure ssrf_allowed_hosts in config.toml. Agents can reach internal services like n8n, Gitea, and cluster APIs. Cloud metadata endpoints remain unconditionally blocked. 
    [tools.web_fetch]
ssrf_allowed_hosts = ["*.olares.com", "10.0.0.0/8"]
  • XML tool call recovery (#897 by @tytsxai) — Recovers <function=tool><parameter=name>value</parameter></function> format from Llama-family models. Adds format #14 to the text-based recovery pipeline.
  • Wildcard tool capabilities — Agent manifests can use mcp_filesystem_* patterns in tool lists instead of enumerating every MCP tool.
  • Expanded embedding auto-detection — Now probes OpenAI, Groq, Mistral, Together, Fireworks, Cohere before local providers. Clear warning when no embedding provider is available.

Bug Fixes

  • Version sync — Workspace and Tauri desktop version now correctly report v0.5.5+. Users stuck on v0.5.1 should be able to update.
  • [SILENT] token handling (#877 by @pbranchu) — Case-insensitive matching for [SILENT], [silent], [Silent]. No longer stored literally in session history.
  • Token estimation (#881 by @pbranchu) — ToolUse arguments now included in text_length(), fixing premature context overflow on tool-heavy sessions.
  • Alpine.js settings page (#917 by @lc-soft) — Fixed expression errors when budget data is null by converting x-show to x-if.
  • Agent skills hot-reload (#900 by @neo-wanderer) — Changes to skills and mcp_servers in agent TOML now trigger reload correctly.
  • Telegram startup timeout (#898 by @tytsxai) — 10s timeout on setMyCommands/deleteWebhook prevents daemon boot hang on flaky Local Bot API.
  • Ollama context window — Discovered models now default to 128K context / 16K output instead of 32K/4K. Better reflects modern models.

Stats

  • 59 PRs merged, 22 closed/rejected across this release cycle
  • 33 bugs fixed, 31 issues closed
  • Full CSO security audit completed
  • All tests passing

Full Changelog: v0.5.6...v0.5.7

Check out latest releases or
releases around RightNow-AI/openfang v0.5.7

Don't miss a new openfang release

NewReleases is sending notifications on new releases.

Get notifications