← Back to changelog
v1.9

Security Hardening, A0 CLI Connector, & Messaging UX Refresh

April 13, 2026

v1.9 closes two important security issues, adds the built-in A0 CLI Connector and its setup skill, restores lightweight lexical skill recall, gives Browser Agent runs their own model preset, and redesigns messaging integration setup flows across email, Telegram, and WhatsApp.

🛡️ Security Fixes

  • SSRF blocked in document_query remote fetching — Remote document fetching now validates URLs before any network request, blocks localhost and non-public IP targets, validates redirect hops, disables implicit proxy trust, and enforces a strict size cap. Third-party loaders no longer receive attacker-controlled URLs directly; content is prefetched and parsed from trusted local bytes instead. A follow-up compatibility fix also restores access to public sites that rejected the new request fingerprint.
  • Path traversal blocked in download_work_dir_file — Download requests are now rejected if their resolved path escapes the runtime base directory, preventing arbitrary file reads outside the allowed workspace.

✨ New Features

  • Built-in A0 CLI Connector plugin — Agent Zero now includes a host-side connector plugin so the A0 CLI can connect over authenticated HTTP and WebSocket, with capability discovery, chat/context lifecycle endpoints, log streaming, remote editing, code execution, and file-tree bridging.
  • a0-setup-cli built-in skill — A new setup skill guides users through host-side A0 connector installation with installer-first guidance, container-aware guardrails, fallback install paths, and updated Flare Tunnel connection guidance.
  • Restored lexical trigger-based skill matching — Lightweight trigger-word scoring is back in search_skills(), re-enabling skills_tool:search and lexical relevant-skill recall for the current user message without requiring vector-database recall.
  • Native chat controls for messaging integrations — Telegram, WhatsApp, and email threads now share transport-level commands like /project, /config, /send, and /queue send so you can manage the active chat directly from inside each integration.
  • Browser Agent model preset selection — Browser Agent runs can now use a dedicated _model_config preset instead of always inheriting the main model configuration.

🎨 UI & UX Improvements

  • Redesigned messaging integration settings — Email, Telegram, and WhatsApp settings panels now use clearer step-based setup flows, guided first-run experiences, provider presets for email, safer access warnings, richer test feedback, and responsive layouts. Advanced email routing, server, and scheduling options now live behind an Advanced section.
  • Componentized model config — The model configuration UI has been refactored into components, with the store split into mixins and API key management unified into one flow.

⚡ Other Improvements

  • Clearer plugin skill lifecycle guidance — Plugin skill documentation now formalizes install(), uninstall(), and preupdate() requirements when dependencies are involved.
  • Contributor sharing and fork safety docs — Added documentation to make collaboration and fork-based contribution workflows safer and easier to follow.