github Vexa-ai/vexa v0.10.6.3
Vexa 0.10.6.3
on GitHub

22 hours ago

Vexa 0.10.6.3

7-pack stitched release replayed from v0.10.6 lineage, stitched into one candidate, validated end-to-end on three production-shape lanes (Compose VM, Lite VM, LKE Helm), and shipped after pack-by-pack sign-off.

What's new

  • Pack 1 — Recording Playback Trust (#364): one canonical master recording artifact; dashboard playback path with same-origin raw audio proxy; finalizer self-heal recovers JSONB from storage when bot exits before chunk-write; trust UX (neutral "Recording is finalizing..." replacing the red destructive banner).
  • Pack 2 — Speak Audio Delivery (#366): TTS provider routing (Piper default, voice=auto), multilingual /speak path with Ukrainian routing fix, separate pre-rendered audio_url / audio_base64 file-playback path.
  • Pack 3 — Meeting Admission & Platform Join Semantics (#372): Google Meet/Teams admission semantics, camera/treatment metadata, Continue-without-AV modal handling.
  • Pack 4 — Stop/Delete Lifecycle Convergence (#365): runtime callbacks, internal-secret preservation, stop→delete terminal-state convergence and cleanup sweeps.
  • Pack 5 — Billing & Webhook Idempotency (#369): producer-side claim of billing-sensitive completion events; stable public webhook headers/payloads; no duplicate completion emissions.
  • Pack 6 — Self-Hosted Browser Edge (#373): browser-facing config/proxy/auth edges explicit and public across Lite/Compose/Helm; internal services stay internal in self-hosted Lite.
  • Pack 7 — Release Identity & Packaging Hardening (#363): source/image/Helm/dashboard/CI/hardening metadata identify the same candidate; Chart SemVer/appVersion; security headers; npm lock consistency; dependency floors.

Session-authored fixes

  • aa2c0f6 — runtime-api k8s ServiceAccount-auth fix (corrected token mount/validation path that was returning HTTP 500 on POST /bots in LKE).
  • 5015f08 — supporting commit on the SA-auth fix path.
  • 7e9eb3f — supporting commit on the SA-auth fix path.
  • 0cfadb6 — main-merge conflict resolution (12 files), preserves INTERNAL_API_SECRET env from v0.10.6.1.
  • eefb722.gitguardian.yml allowlist for test-fixture webhook secrets.

Images

All 9 services published at :0.10.6.3 (also tagged :latest post-promotion, same digest):

Service Digest
vexaai/runtime-api:0.10.6.3 sha256:84a0a7b5bc25a19f76f19d6cc03fed84008d0869b4a307c893a21aa082fde876
vexaai/admin-api:0.10.6.3 sha256:6a52f2ab3f9242dcb76164889c3fee7927161282809228a564269c11fcfbad43
vexaai/api-gateway:0.10.6.3 sha256:8e481fc10f519384c3f156ffc5f4f94994fcdcb3781625dbb21dcb720c5f9d27
vexaai/dashboard:0.10.6.3 sha256:b7ae74bb4416ac4a5471faff03be896cf134d7f43e2dd38bc554d5e7f481e0f4
vexaai/mcp:0.10.6.3 sha256:8f8ff015945d7a47bba530e90ba8f0d41e6789ae81ec3c2ebbab1cc8f02390a1
vexaai/meeting-api:0.10.6.3 sha256:e3e47712a9b5ba3d7253e6a04091e8ad5b68a5c82ee457fa4b11893a088f6087
vexaai/tts-service:0.10.6.3 sha256:1f54d2fc6fb42226b7dab114651b6d4a36f530e9b7e8f034115d2d7c2a722b88
vexaai/vexa-bot:0.10.6.3 sha256:8845f35fab81262e6b1009c078338b4915e26e19f38729ef1654b530a2aae585
vexaai/vexa-lite:0.10.6.3 sha256:649fdd62e1858bd982a52c680c7533b2f6a50a5df7685b61436c112a29175e92

Verification

Candidate stood up cleanly on three production-shape throwaway lanes and passed gates:

  • Compose VM (Linode 45.33.72.232): 9-gate verify pass; live Google Meet smoke pass; transcript pipeline verified.
  • Lite VM (Linode 45.33.72.241): 9-gate verify pass; live Google Meet smoke pass.
  • LKE Helm (Akamai cluster 609680): chart install pass; runtime-api SA-auth verified post-fix; live Google Meet smoke pass.

End-to-end gates verified: recording playback (master + raw range + dashboard player), /speak multilingual audio delivery, Google Meet / Teams admission, stop/delete lifecycle terminal-state convergence, billing/webhook idempotency, security headers, version chip, source/image identity coherence.

Full evidence trail: .agents/releases/0.10.6.3-stitched/state.md + .agents/releases/0.10.6.3-stitched/image-manifest.md.

Upgrade notes

  • Helm chart: 0.10.6+3 (SemVer build metadata) / appVersion: "0.10.6.3". Chart .tgz is attached as a release asset.
  • Self-hosted Lite users: provider=piper, voice=auto, and voice_agent_enabled=true are now the documented Lite TTS defaults; separate pre-rendered audio_url / audio_base64 path documented in services/tts-service/README.md.
  • Dashboard playback now uses the same-origin raw audio route — operators with custom reverse-proxy setups should ensure the raw media route is reachable.
  • Operators upgrading from 0.10.6.x can pull :latest or pin to :0.10.6.3 by digest from the table above.

Known follow-ons

  • #388, #389 — accepted-with-rationale, deferred to 0.10.6.4. Both are CodeQL-flagged exploitable issues on the webhooks path (SSRF and path-traversal); neither is new in this release (alerts pre-date the candidate fork on 2026-05-23) and neither is on a customer-reachable surface in default deployments.
  • GitGuardian incidents 33129114/15/16 are test-fixture webhook secrets in .agents/packs/**/listener-meeting.json + transcript.json; repo-side allowlist landed in this release (.gitguardian.yml); dashboard-side dismissal is operator action.
Check out latest releases or
releases around Vexa-ai/vexa v0.10.6.3

Don't miss a new vexa release

NewReleases is sending notifications on new releases.

Get notifications