Changelog — ModelReins

API v4.8.5 2026-05-15 Latest

SSRF hardening: decimal/hex/octal numeric IP forms are now decoded before DNS

SSRF defense: numeric IP encodings

URLs like `http://2130706433/`, `http://0x7f000001/`, and `http://0177.0.0.1/` (all encodings of 127.0.0.1) are now decoded to their canonical IPv4 form BEFORE the safe-URL check, on every platform. Previously, Linux's getaddrinfo silently resolved decimal IPs to 127.0.0.1 (caught), but Windows getaddrinfo failed outright, so a Windows-hosted Companion treated the URL as 'DNS failed, denied' — denying correctly but losing the SSRF signal in audit logs. Defense-in-depth assumed numeric forms were caught here; now they actually are.
Cloud metadata endpoint (`169.254.169.254`) audit messages now say 'link-local — covers cloud metadata' instead of the generic 'private network address'. In Python 3.13+, the metadata IP has both is_link_local=True and is_private=True; the safe-URL check now orders link-local first so the specific threat is named in audit logs.

API v4.8.4 2026-05-15

Atomic job claim — duplicate-execution hole closed at the dispatcher

Atomic job claim closes the duplicate-execution hole

`PUT /jobs/{id}` with `status='running'` now conditionally claims the job only if its current status is `pending`. Two workers sharing a `WORKER_NAME` (companion restart in-flight, VM clone with stale hostname, network retry that lands after the first PUT already succeeded) can no longer both run the same prompt and double the token cost.
Collision returns 409 Conflict with the current status; the channel daemon (companion 4.5.13+) handles 409 cleanly — treats it as 'someone else got this one', rolls back local state, retries on next poll. Other transitions (done/failed/etc) still go through the standard path.
Pairs with the companion-side stuck-job watchdog (4.5.13) so the full duplicate-execution path is closed end-to-end.

Companion v4.5.13 2026-05-15

Channel watchdog, wizard polish, npm brain package, Linux exec fix

Channel doesn't go dead anymore

If Claude crashes mid-stream or a notification gets dropped, the channel no longer wedges with a stuck currentJobId. A new watchdog clears the slot and best-effort reports the job as failed after 30 minutes — generous enough that legitimate long-running Claude tasks don't get false-positived.
Pairs with the SaaS-side atomic claim shipped in 4.8.x: the channel now correctly handles 409 Conflict on claim collisions (treats it as 'someone else got the job' and rolls back local state for the next poll).

Setup wizard polish

The wizard now auto-picks the Director when you save — one fewer click in the most common path (closes #150).
'Open the Wall' button on the wizard's success screen actually opens the Wall now (closes #149).

Linux companion: screensaver fallback works

The screensaver mode's npx-fallback exec line is now correctly tokenized so the multi-word command parses on `freedesktop`-spec systems. Linux users running Companion as a screensaver get the same auto-update behavior Windows users already had.

Local brain carved into its own npm package

Companion's local routing brain (`local-brain.js`) is now published as `@mediagato/brain` on npm. Same code, same behavior — just consumable by other modules in the elifant ecosystem (silicon worker SDK, future Director surfaces, etc.) without vendoring.

License: BUSL-1.1

Companion repo now ships with an explicit BUSL-1.1 license file. Same license that the rest of MEDiAGATO ecosystem code uses — no change in terms, just visible in the tree now.

API v4.8.3 2026-05-13

Three quick-fire patches that close the SERIAL-gap saga on Postgres + small operational nits

Review-job SERIAL gaps closed

Fixed a bug where create_review_job's combined INSERT+UPDATE was advancing the jobs.id SERIAL counter on every retry, leaving holes in the job ID sequence. Now split into a stable INSERT first, UPDATE second — no more skipped IDs on Postgres.
Quality-gate flag is now coerced correctly under the Postgres TEXT column. Previously a stored '0' or 'false' could read as truthy because the TEXT representation was non-empty. The check is explicit now.

Operational small wins

Dev banner keys off the Host header instead of an env var, so staging and dev deploys correctly show their banner without needing a per-environment env var set.

API v4.8.0 2026-05-08

Director planner goes LLM-driven — and 'tools' are now 'skills' to match the rest of the agent ecosystem

LLM-driven Director planner

The Director now drafts plans by calling a worker LLM with the skill catalog as context. Out-of-the-box requests like 'help me draft an email about X' or 'pull the latest GitHub stars and write a memo' get planned with real reasoning instead of pattern matching.
Deterministic pattern matcher kept as the fallback. If the LLM is unreachable, returns malformed JSON, or names an unknown skill, the planner drops to the v4.7.0 patterns. End users never see a 500 from a bad LLM response.
Set `MODELREINS_DIRECTOR_LLM_DISABLED=1` on a server to force pattern-matcher only — useful for low-resource self-host deploys or when the worker fleet is empty.

'Tools' renamed to 'Skills'

Lined the Director up with the rest of the agent-platform vocabulary (Anthropic, OpenClaw, HyperAgent, Hermes, Wirken — they all call this 'skills'). Catalog endpoint at `GET /director/skills`. The legacy `/director/tools` returns the same payload under both keys for one release cycle, then it goes away.
A skill is a registered named capability the Director can invoke. Today's catalog has 9 (dispatch_inference, web_search, worker_list, fleet_find_worker_with_capability, worker_currently_loaded, worker_list_models, worker_load_model, worker_unload_model, dispatch_e2e_smoke). The Skill Factory feature — Director writing its own skills at runtime — is queued.

API v4.7.0 2026-05-08

Director substrate ships — request planner + admin model swap + chat UI

Director — request planner

New `/director` chat UI lets you type a request, see the plan the Director assembled, approve or cancel, then execute. Plans persist; you can revisit any prior plan.
Tool catalog at `GET /director/tools` lists what the Director can call: dispatch_inference, web_search, worker_list, fleet_find_worker_with_capability, worker_currently_loaded, worker_list_models, worker_load_model, worker_unload_model, dispatch_e2e_smoke.
v4.7.0 ships a deterministic pattern-matcher planner (search / smoke / list / model-swap / generic). LLM-driven planning is layer-2 work — the substrate (catalog, schema, endpoints, UI) is now in place so the swap-in is a single class change.

Admin model swap (Holly LM Studio substrate)

New endpoints under `/api/v1/workers/{worker_name}/`: `models` (list), `load_model`, `unload_model`, `admin_task/{id}` (track progress). Records intent in the new `worker_admin_tasks` table; daemon-side execution is queued.
Pairs with the Holly LM Studio CT 200 substrate live at `holly-lmstudio-01`. Once the daemon-side handlers ship, the Director can swap models on-fleet ('swap to qwen-coder-7b on holly-lmstudio-01') as a single step.
Master-token / platform-admin only. Tenant admins cannot load/unload on platform workers.

Schema additions

`director_plans` + `director_plan_steps` for plan persistence.
`worker_admin_tasks` for model-swap operations.

Companion v4.5.12 2026-04-26

Ollama install completes reliably.

Steadier first-run on Windows

The setup wizard's Ollama install step now signals completion the moment the Ollama API is reachable, instead of waiting on a PowerShell wrapper handle that could hang indefinitely on Win11.
If the UAC prompt is canceled or the install otherwise doesn't finish, the wizard surfaces a clear timeout message after 3 minutes instead of staying frozen.

Companion v4.5.11 2026-04-26

Artifacts land in the Wall.

Artifacts page in the Wall

When workers upload images, video, audio, or PDFs via `upload_artifact`, they now surface in a dedicated Artifacts page in the Wall carousel — image content-types render as thumbnails inline, others show a content-type pill.
Click any artifact to open its stable `/s/<slug>` URL in your system browser.

Quiet on older SaaS

If the Companion is paired with a SaaS instance older than API 4.6.0 (which doesn't expose `/artifacts`), the Wall just hides the Artifacts page — no error spam.

Companion v4.5.10 2026-04-26

Smoother upgrades.

Smoother in-place upgrades

The installer closes the running Companion automatically before installing the new build, so in-place upgrades always land on the latest version.

Wizard polish

The setup wizard's footer now shows the running Companion version.

Companion v4.5.9 2026-04-26

One-click pairing from the Wall.

Pair-state-aware Wall

When the Companion isn't paired with a fleet yet, the Wall now shows a Pair With Your Fleet prompt with the setup wizard one click away.
Local-only mode is a one-click choice from the same prompt — for users who want the on-machine routing brain without a SaaS pairing.

Wizard-aware lifecycle

When the wizard saves, the Wall swaps to the live dashboard immediately — no manual reload, no restart.

Companion v4.5.8 2026-04-26

Security and reliability hardening across the Companion.

Tighter trust boundaries

The local pairing handshake responds only to known IDE origins.
Brain-channel access validates every caller against the Companion's own renderer paths.
Installer execution requires absolute paths.

Cleaner Reset-to-defaults

Reset uses a marker-file + clean-boot pattern, so the wipe runs before any data files are opened.

Reliability

Ollama model downloads use an idle-timeout, so stalled connections surface clearly.
Job dispatch is reentrancy-safe and preserves output chunk order when streaming long responses.

MCP v4.5.1 2026-04-26

Steadier polling under network jitter.

Concurrency-safe job polling

The poll loop now drops a tick if the previous one is still in flight, so a slow API response can't trigger two concurrent claims of the same job.
A failed claim PUT (5xx, timeout, network blip) now rolls back the local state cleanly, so the next poll can retry the job from scratch instead of half-claiming it.
MCP notification failures release the in-flight job slot rather than silently wedging the channel until restart.

API v4.6.0 2026-04-22

Visual artifacts ship + silicon workers as first-class identities

Visual artifact pipeline

Workers can now produce images, video, audio, and PDFs as first-class outputs. Each artifact gets a stable URL at `modelreins.com/s/<slug>` (3-tier hosting: companion-local, modelreins-tunnel, or your own protowebb).
The review queue renders artifacts inline so a human can preview the actual image before approving it for publish — purpose-built for generative-AI compliance workflows where someone needs to eyeball every output.
Foundation for the upcoming creative-team use case: marketing departments generate brand assets at scale, your queue catches anything off-brand before it goes live.

Silicon workers as first-class identities

New `workers_registry` table: every silicon worker has a persistent identity independent of heartbeat/presence — declared capabilities, risk tiers (auto / audit / approve / session), audit trail, revocation.
New `/workers` dashboard for register / list / revoke. New reserved `platform` tenant for internal first-party workers (Moltbook bot, Director, Windows tester).
Pairs with the silicon-worker SDK 0.2.0 (see below) for the full developer experience.

Self-serve API key minting

New `/settings/api-keys` flow lets users mint scoped keys themselves. Keys appear once via a one-time-view URL with 15-minute TTL — no support tickets, no raw tokens emailed, no tokens in logs.

Smoother checkout

Tightened plan-picker routing across Pro / Team / Lifetime so every upgrade path lands at a clean checkout page in one click.

Sdk-node v4.4.4 2026-04-22

Catch-up release: playwright provider, killswitch, rate-limit phrases

Playwright worker provider

Wrap web UIs that have no API as first-class workers. Useful when the only way to get something done is to drive a browser.

Server-side killswitch awareness

Worker poll loop now honors a server-side killswitch — the dispatch fleet can be stopped centrally without restarting every worker.

Better rate-limit handling

More upstream rate-limit error phrases recognized + classified, so workers back off gracefully instead of failing jobs.

Sdk-python v0.2.0 2026-04-22

Workers can submit visual artifacts + queue reviews

New methods: upload_artifact() + submit_review()

`worker.upload_artifact(data, content_type, filename, ...)` — POST a binary blob (image, video, audio, PDF) through the artifact tunnel, get back `{slug, url, content_type, size_bytes}`. Multipart-encoded manually to stay stdlib-only — zero new dependencies.
`worker.submit_review(type, title, content, preview, target, ...)` — push content to the human-review queue with optional artifact preview. Used when a worker produces output that shouldn't publish without a human eyeball (risk_tier=audit or approve).

Image generation example

New `examples/image_generation_worker.py` shows the full pattern end-to-end: claim a job, call 1minai IMAGE_GENERATOR, upload result as artifact, submit to review queue. Drop-in starter for any text-to-image worker.

Sdk-python v0.1.0 2026-04-20

Build silicon workers in 60 seconds.

First release: modelreins-worker 0.1.0

A stdlib-only Python SDK for building silicon workers on ModelReins. One install command (`pip install modelreins-worker`), one class (`Worker`), five methods: heartbeat, inbox, claim, complete, run. The full public API fits on one screen.
Works with any ModelReins server at version 4.5.0 or later. Uses worker-token auth through the existing one-time-view retrieval flow — raw tokens never transit email or chat.
Silicon workers become first-class employees in your tenant: declared capabilities, risk tiers (auto / audit / approve / session), audit trail, revocation. See /workers on your dashboard to register your first one, or the docs page linked below.

Companion v4.5.7 2026-04-19

Cleaner first-run on fresh Windows.

Ollama installer elevates cleanly

Fresh Windows installs complete the Ollama setup step in about 30 seconds — Companion now requests elevation explicitly before handing the installer control.
Carries forward 4.5.6's brighter Stirrup tray icon, clean first-run, double-click-safe installer, and 256k Ollama context default.

Companion v4.5.6 2026-04-18

Brighter Stirrup in your tray.

Brighter Stirrup in your tray

The Companion's tray icon now uses the same `#00ff88` green that's on the landing page and the logo. Brand-consistent, opaque, unmissable in a row of colorful system-tray icons.
Carries forward 4.5.5's clean Windows first-run, double-click-safe installer, and 256k Ollama context default.

Companion v4.5.5 2026-04-18

Cleaner Windows first-run.

Cleaner Windows first-run

Fresh Windows installs now land on a working local worker without hand-holding. The install wizard progresses cleanly through Ollama setup and model pull on the first try.
Double-clicking the downloaded installer no longer produces two wizards on top of each other — the installer now holds a single-instance lock so the second launch quietly no-ops.
Ollama is configured with a 256k context window out of the box, ready for long prompts.

Saddle v4.5.7 2026-04-17

Zero-click auto-pair.

Auto-pair with the local Companion

When the Saddle has no token stored, it now probes the Companion's loopback router (127.0.0.1:11435/pair) and picks up your API token silently. Zero clicks, no paste, no tray hunt. Just works if the Companion is running on the same machine.
Manual paste still works for remote-VSCode setups or split-machine configurations. Graceful fallback.

Saddle v4.5.6 2026-04-17

Connect, visibly.

Auth flow you can't miss

When the Saddle has no API token stored, the Patch panel shows an explicit "Not connected yet" card with a Connect button. Click it, paste your token from the Companion tray, done.
"ModelReins: Connect to Patch" is now properly registered in the Command Palette, so you can start the auth flow from anywhere with Ctrl+Shift+P.
After a successful connect, the fleet refreshes immediately — you see your worker show up without waiting for the next poll.

License + small fixes

README corrected: the extension is under Business Source License 1.1, not MIT. Matches the rest of the ModelReins repo.
Saddle strip section count updated in docs (three segments: effort, mode, targets).

Saddle v4.5.5 2026-04-17

Fresh coat.

Look-and-feel refresh

Marketplace icon updated to the circular hands-and-reins mark that matches the Companion and the landing page.
Extension description and README rewritten around the 4.5.x story: Companion-first, local-first, trivial-tier dispatch to your own hardware.

Default tier, honestly

The package-level config default is now "trivial" — matching the runtime. Fresh installs see "trivial" in the Saddle strip on first load.

Saddle v4.5.4 2026-04-17

Dispatch that matches your fleet.

Smarter defaults

First-run effort tier is now "trivial" — maps to your local Companion worker, so fresh installs dispatch to qwen2.5 the moment you sign in. Click up to standard/deep/critical once you add cloud workers.
Connect prompt asks for your API token and nothing else. Server URL defaults silently; override only if you self-host.

Quality gate, on your terms

When your fleet has no eligible reviewer for the current tier, the quality gate auto-passes with a note. Clean jobs table, clean head.

Companion v4.5.2 2026-04-17

Auto-pair with the Saddle.

Loopback pair endpoint

The Companion now exposes its API credentials at `http://127.0.0.1:11435/pair` for any client running on the same machine. The Saddle uses this to auto-pair on first launch — you install the Companion, install the Saddle, and the Saddle just connects. No token paste, no tray hunt.
Loopback-only (bound to 127.0.0.1), so nothing on the network can pull your token. Your keys stay local.

Companion v4.5.1 2026-04-17

Tray lights up on finish.

Copy API Token, right after the wizard

The tray menu's "Copy API Token" item enables the moment the setup wizard writes your token — no companion restart needed.
Applies to both fresh-install wizards and the older save-config path.

Companion v4.5.0 2026-04-17

First-run, every time.

Setup you can watch

The wizard runs six named stages — detect your AI engine, install Ollama, pull the routing brain, connect your account, seed the Director, register the worker. Each stage reports status as it lands. Every external failure surfaces in plain text, no trailing ellipses.
Your API token appears on the done screen with a copy button, ready for the Saddle. System tray handshake confirms where the app is running.

Tray, redone

Copy API Token — clipboard in one click, confirmation balloon.
Check for Updates — pings the server, flags newer builds, points you at the download.
Ollama submenu — reinstall, remove and clear the model cache, or open Ollama's site. Keep your local brain on your terms.

Cleaner install, cleaner uninstall

The uninstaller asks whether to keep or wipe your ModelReins config, and separately whether to remove Ollama. Defaults keep everything; one-click wipes when you want a truly fresh start.
Stale Ollama partial-chunk files get cleaned before each model pull, so interrupted downloads don't poison the next one.
Ollama detection tries IPv4, IPv6, and hostname localhost so the VM quirks that used to hang the wizard don't anymore.

Saddle v4.5.2 2026-04-15

Red button in reach.

Killswitch in the Saddle

A red "kill" button sits next to "send it." One tap aborts every in-flight job in the current thread, leaves other threads and other workers untouched. Scalpel, not sledgehammer.
Works for both single-worker and fan-out dispatches. Fail-soft — one bad abort won't block the rest.

Quietly Better

Background stability work. No behavior changes to normal dispatch.

Saddle v4.5.1 2026-04-15

What's new in ModelReins