Lisa v0.10.0

Lisa v0.10.0

The 1.0-foundations release. Everything since v0.9.1's security pass goes
deep before wide: a real multi-agent Dispatch layer, a consent-gated
ambient Sense layer, the local-model + reflection groundwork, and — under it
all — a test net around the core loop that was previously running naked.

145 new tests (547 → 692), every PR green through typecheck + build + the full
suite, and the privacy story is now code, not copy: all sensitive ambient
capture is off by default and gated behind explicit consent.

Read Behavior changes below if you use --approval ask-mutating, the
screen-advisor, or plan to enable any ambient sensing — a few defaults are new.

✨ Highlights

Dispatch — command and watch every agent

• Multi-agent monitor. The island pill + GUI sidebar now show all observed
  agents (claude-code / codex / opencode / aider / git / shell / takoapi), not
  just Claude — one roster, live, with a per-agent badge and structural activity.
• Remote agents are first-class (TakoAPI, D2b). Agents you call via the
  takoapi tool appear in the hub as sessions with their A2A TaskState, beside
  your local agents. Discovery stays in takoapi discover; the hub only ever
  shows agents you've actually interacted with — never the full registry.
• lisa agents — one-shot snapshot of every agent session across observers.
• /api/agent/signal — list / cancel the agents Lisa dispatched, over the
  (auth-gated) web API; it can only ever touch agents Lisa launched herself.

Sense — ambient context, consent first

• Unified consent framework. A single source of truth (~/.lisa/consent.json),
  all sensitive signals OFF by default, fail-closed. Manage it from
  lisa consent or the island's "👁 sense" panel — every signal has a toggle and
  there's a one-tap Stop all sensing.
• S2-screen — your foreground app, as an ambient signal (app names only; no
  screenshots in this path). Blacklisted apps (password managers / banking) are
  skipped whole-frame; window titles are secret-path-dropped + PII-redacted.
• S2-voice — push-to-talk transcripts become ambient context when voice is
  granted (no audio stored; PII-redacted). Off → dictation works exactly as before.
• Observer deepening — gitBranch for codex/opencode (derived from cwd),
  wider activity windows, and a verify-observers harness to confirm the parse
  against your real agents.
• lisa sense + an island "recently sensed" feed make all of it legible.

Model — toward local

• lisa model list / install / use / health — drive a local Ollama backend
  (pull + switch) from one command.
• Local embeddings + provider fallback — semantic recall off-device when
  configured; auto-detect + graceful fallback to TF-IDF / a second provider.

Reve — reflection you can audit

• Reflection quality gates + an autonomy-run ledger (lisa autonomy) +
  an idle token-budget breaker so unattended runs can't run away.
• Soul-at-a-glance digest + cross-agent recap folded into reflection;
  desire "needs-user" middle-state so Lisa flags work she needs your hand for.

🔧 Behavior changes

• Ambient sensing is opt-in. A fresh install captures nothing sensitive.
  screen / voice (and clipboard / selection, reserved) are off until you
  lisa consent grant <signal>.
• The screen-advisor now also requires screen consent — its own enabled
  flag is no longer enough (a screenshot → model is screen capture). It logs a
  hint when enabled but not yet granted.
• --approval ask-mutating now prompts before more tools: dispatch_agent
  and signal_agent (local execution / process control), and github write
  actions (create / comment / merge). github reads stay un-gated.
• New CLI commands: lisa consent, lisa sense, lisa agents, lisa model,
  lisa autonomy (shell completions updated for all of them).

🔒 Security / hardening

• Tool input validation — model-generated tool input is now validated against
  each tool's JSON schema before execute() (fail-closed, friendly error).
• LAN auth red-team — the web RCE gate is extracted into a tested
  isRequestAuthorized (no token ⇒ no non-loopback request passes) plus a live
  scripts/redteam-lan.ts probe.
• Core-loop test net (F-core) — the agent tool-use loop, approval gate,
  session resume, MCP mapping, subagent, and hook runner now have tests; the
  release pipeline already gates on npm test.

🧰 For operators

• scripts/footprint.ts + docs/FOOTPRINT.md — measure the resident service's
  CPU/RSS and understand the cost knobs.
• docs/OBSERVER_FIDELITY.md — log what you've verified against live agent versions.
• Docs honesty pass: accurate LOC, complete completions, local-model "endpoint vs
  managed lifecycle" clarified.

Notes

• Fully backward compatible: new config files (consent.json, sense/) default
  to today's behavior when absent; existing ~/.lisa/* formats are untouched.
• Deliberately deferred (documented with rationale): always-on voice, local STT
  (whisper.cpp), the optional screenshot→model "local-first judgment", and the
  clipboard/selection sources. macOS-first for system-level sensing.

Lisa v0.9.1

Lisa v0.9.1

A security + honesty release. A full five-subsystem product review
(docs/PRODUCT_REVIEW_v0.9.md) found one cross-cutting
hole — lisa serve --web bound every network interface with zero auth in front
of a full-tool agent — plus two advisor false alarms and a batch of unlocked
soul writes. All closed here, alongside deeper cross-agent observation and a
docs pass that pulls the marketing back in line with the code.

No new user-facing features to learn; if you run serve --web or IM channels,
read Behavior changes below — a couple of defaults tightened.

🔒 Security (the headline)

• serve --web now binds 127.0.0.1 by default. It used to bind every
  interface while printing "localhost", with /chat (a full-tool agent) and
  /api/vision/capture (a silent screen grab) reachable, unauthenticated, from
  anyone on your LAN. To expose it deliberately: set LISA_WEB_TOKEN and pass
  --host 0.0.0.0; remote devices authenticate with ?token=… once (→ HttpOnly
  cookie).
• IM channels run a remote-safe toolset by default — no bash, file
  mutation, dispatch_agent, GitHub writes, skill_manage, etc. on
  remote-origin messages. A fully-trusted channel opts back in with
  "unsafeFullTools": true. The router warns loudly at startup for any channel
  left without an allow-list.
• Self-driven autonomous runs are tool-bounded — desire heartbeats, the
  weekly examen, and idle/dreams (prompts Lisa wrote for herself, running
  unattended) drop shell / fs-mutation / dispatch tools. Your own
  heartbeat.json tasks keep the full set. LISA_AUTONOMOUS_FULL_TOOLS=1
  restores the old behavior. This breaks the "indirect prompt injection →
  self-authored actionable desire → persistent unattended code execution"
  chain.
• Feishu events are verified now — verificationToken is required and
  actually checked; X-Lark-Signature + a 5-minute replay window are enforced
  when encryptKey is set (it was unauthenticated despite storing the token).
• Plugin hooks fire on the web path — serve --web wires
  PreToolUse/PostToolUse like the CLI (they were silently skipped before).

🛰 Advisor & orchestrator

• Two trust-killing false alarms fixed: a tool running >5s with a quiet
  transcript was reported as an urgent "waiting for permission" (every long
  npm test / Bash tripped it); an open PR idle >14 days was reported
  "merged/closed". Both corrected.
• Island advisor cards are actionable — each cross-agent suggestion gets a
  button that prefills the chat with a concrete ask (nothing auto-runs; open
  reveals the folder natively) and a ✕ that persists a dismissal, teaching
  the advisor to quiet that category over time (the previously dead
  applyDismissal loop is now wired).
• Tier-2 activity for Codex / OpenCode / Aider — structural activity
  (tools / files / last command / errors), gated behind each integration's
  visibility tier, with a planted-secret privacy test per adapter. All five
  observers now emit activity; fidelity varies by what each agent records on
  disk (Claude Code richest; Aider gives files + turns, no tool stream), and
  the non-Claude depth is new and not yet battle-tested against live agents.

🔧 Correctness

• Abort actually cancels LLM streams — all three providers forward
  AbortSignal to their SDKs. Ctrl-C used to stop tools but let the stream burn
  to completion.
• maxIterations truncation is explicit (stopReason: "max_iterations" +
  an info event) instead of silently returning stale text.
• Empty assistant turns no longer poison history (they 400 a later
  Anthropic call); concurrent /chat no longer corrupts history (turns are
  serialized; malformed JSON → 400, not a hung socket).
• Soul writes are cross-process safe — journal appends, emotion updates (now
  a shared decay-first path used by both soul_feel and reflect), and git
  commits run under cross-process locks; idle gained a run-lock like heartbeat's.
  Tamper detection now sees deletions, and a missing emotions.json no
  longer decays every feeling to zero.

🧹 Maintenance

• src/web/lisa-html.ts split 2326 → 196 lines (CSS + client JS into modules;
  served HTML byte-identical, sha256-pinned).
• Gemini SDK lazily imported — Anthropic-only users no longer load
  @google/genai.
• Release gated on npm test; bundles prune devDependencies (~59MB smaller).
• Docs honesty pass: the DMG ships one app (LisaIsland folded into Lisa.app in
  v0.7), "~11k" → "~22k lines", stale 0.2.0 version strings fixed, completions
  learn autostart.

⚠️ Behavior changes

• Reaching the web UI from another device now requires LISA_WEB_TOKEN +
  --host (the README documents the phone/PWA flow).
• Channel messages can no longer run bash / edit files unless that channel
  sets "unsafeFullTools": true.
• Desire-driven heartbeats and idle runs lose shell / dispatch tools by default
  (LISA_AUTONOMOUS_FULL_TOOLS=1 to restore).
• Feishu without verificationToken / encryptKey now refuses to start (it
  was unauthenticated before — add either to ~/.lisa/channels.json).

Verification

npm test: 429 / 429 pass (+101 over 0.9.0), npm run typecheck clean.

Full detail in CHANGELOG.md and the review at
docs/PRODUCT_REVIEW_v0.9.md.

Lisa v0.9.0

What's Changed

• feat(tools): github_link — shareable GitHub URLs from local git by @oratis in #62
• feat(tools): github — gh-backed issues/PRs/CI/releases by @oratis in #63
• feat(tools): npm_info — package view / outdated / audit by @oratis in #64
• feat(tools): mcp — connect any MCP-server integration on request by @oratis in #65
• fix(island): calmer status pips — breathe for working, halo for needs-you by @oratis in #66
• feat(mac): restyle the menu-bar popover by @oratis in #67
• fix(mac): stamp real version into Lisa.app (was stuck at 0.1.0) by @oratis in #68
• Voice dictation: Typeless-style speech polish into the composer by @oratis in #69
• feat(mac): auto-start backend + Start-backend in every offline surface by @oratis in #70
• Website: pixel + geek (CRT/terminal) redesign by @oratis in #71
• chore(website): reproducible Cloud Run deploy script + Dockerfile by @oratis in #72

Full Changelog: v0.8.0...v0.9.0

Lisa v0.8.0

What's Changed

• feat(autostart): run the backend from login (lisa autostart) by @oratis in #39
• feat(mac): simpler pixel-girl app icon on a solid background by @oratis in #40
• feat(mac): chibi catgirl app icon (Seedream), per reference by @oratis in #41
• feat(mac): build Lisa Island into Lisa.app, toggled from the menu by @oratis in #42
• feat(mac): island toggle in Settings (⌘,); retire standalone LisaIsland.app by @oratis in #43
• feat(mac): app icon — pixel hoodie girl on flat solid bg (no glow) by @oratis in #44
• fix(mac): enlarge Lisa in the app icon by @oratis in #45
• fix(web): repair SyntaxError that killed ALL GUI JavaScript since v0.6.0 by @oratis in #46
• fix(web): add GET /api/sessions (sidebar count badge was 404'ing) by @oratis in #47
• fix(web): GUI white-screen on send; feat(mac): right-click the island to close it by @oratis in #48
• feat(orchestrator): list_agents — enumerate observed agent sessions by @oratis in #49
• feat(tools): repo_digest — git truth for what my agents did by @oratis in #52
• feat(tools): review_diff — show an agent's diff for review by @oratis in #53
• feat(tools): run_checks — the quality gate by @oratis in #54
• fix(web): escape \n in framed voice-summary string + add inline-script syntax guard by @oratis in #51
• feat(tools): pr_status — open PRs with CI + review state by @oratis in #55
• feat(tools): inspect_agent — deep-dive one observed session by @oratis in #56
• Orchestrator O3/O4: GitHub PR + OpenCode + Aider observers by @oratis in #50
• feat(tools): scheduled_dispatch — recurring agent dispatch via heartbeat by @oratis in #57
• feat(tools): compare_agents — same task across agents, compare results by @oratis in #58
• fix(soul): atomic file lock — close mutual-exclusion races by @oratis in #59
• Screen Advisor: opt-in periodic screen → next-step suggestion on the island by @oratis in #60
• Orchestrator L6: cross-agent recap ("while you were away") by @oratis in #61

Full Changelog: v0.7.0...v0.8.0

Lisa v0.7.0

What's Changed

• docs(marketing): regenerate pitch + Show HN for v0.6.0 by @oratis in #36
• feat(island): visual polish — glass depth, time chips, diff-style activity cards by @oratis in #37
• Orchestrator O5: signal_agent (list + cancel dispatched agents) + register the dead orchestration tools by @oratis in #38

Full Changelog: v0.6.1...v0.7.0

Lisa v0.6.1

Full Changelog: v0.6.0...v0.6.1

Lisa v0.6.0

0.6.0

Lisa v0.5.0

What's new in v0.5.0 — LISA can see

LISA gets eyes. Hand her a screenshot and talk about it — from anywhere,
with one keystroke.

Screenshot → talk

• Global hotkey ⌃⌥S (Lisa.app, system-wide): press it in any app, drag a
  region (the familiar macOS crosshair), and the shot lands straight in Lisa's
  composer. Type your question, send — she sees it. The Lisa window stays out
  of the way during capture and only comes forward once the shot is attached,
  so it never covers what you're trying to capture.
• 📷 button in the chat composer for the same thing without the keyboard.
• View ▸ Screenshot for Lisa menu item (⌃⌥S) for discoverability.

How it works

• A new POST /api/vision/capture endpoint shells out to the macOS
  screencapture utility (interactive crosshair or full-screen), returns the
  PNG as the exact attachment shape /chat already accepts — so the screenshot
  rides LISA's normal image-understanding path into the model. Escape cancels
  cleanly.
• The native global hotkey is registered via Carbon RegisterEventHotKey
  (dependency-free, works whether or not Lisa is frontmost), and drives the
  page's capture bridge.
• Privacy: nothing is captured or sent until you press the hotkey/button, and
  the screenshot only leaves the machine when you send the message it's
  attached to — same as any other attachment.

Notes

• macOS will ask for Screen Recording permission for Lisa.app on first use
  (System Settings → Privacy & Security → Screen Recording). That's required by
  screencapture.
• Test suite: 170 passing (added the capture arg-builder + platform-guard
  tests). Still zero new runtime dependencies.

Upgrade

npm install -g @oratis/lisa            # 0.5.0
# or
brew update && brew upgrade lisa
# or grab the signed + notarized Lisa-Suite-v0.5.0.dmg below (the hotkey is
# Lisa.app-only, so the DMG is the way to get it)

Lisa v0.4.0

What's new in v0.4.0 — LISA becomes a cross-agent orchestrator

The headline: LISA evolves from "watches Claude Code" into mission control for
every AI agent on your machine. She observes all of them, understands what each
session is doing (without reading your conversations), periodically advises you,
and can dispatch + coordinate work — implementing layers L1–L5 of the
orchestrator plan (docs/ORCHESTRATOR_PLAN.md).

Observe — one registry for all agents

• A pluggable integration registry (mirrors the channel adapter pattern) +
  an OrchestratorHub that fans out over every enabled agent, merges their
  sessions into one normalized stream, and emits a single update event.
• Claude Code reslotted behind the generic AgentObserver interface (its
  watcher is unchanged).
• Codex CLI adapter added through the same registry (off by default, enable
  in ~/.lisa/agents.json) — proving "add an agent ≈ ~100 lines + one import".
• New GET /api/agents/sessions; /api/claude/sessions kept as a back-compat
  alias derived from the hub.

Understand — what each session is doing (Tier-2, privacy-first)

• New tiered visibility (off / metadata / activity / intent), default
  activity. At the activity tier LISA extracts structural signals only —
  tool names, file paths, the name of the last shell command, error flags, git
  branch, token counts — and shows a one-line "what it's doing" per session.
• Privacy is tested, not just promised: a unit test plants a secret string
  in every prose-bearing field (prompts, replies, Write/Edit content, full
  commands, Grep patterns, todos) and asserts it never appears in the output,
  while confirming the structural facts still extract.

Advise — periodic proactive suggestions

• LISA now tells you what matters across all your agents: stuck/errored
  sessions, two agents about to clobber the same repo, repeated command
  failures, cost spikes, finished work ready for review, idle capacity.
• Built to not be annoying: a relevance bar (below it → her journal, not
  you), a 3-hour digest throttle (urgent items like permission prompts bypass
  it), condition-hash dedup (a condition re-surfaces only when it changes), and
  dismiss-as-signal learning (categories you always dismiss fade).
• Surfaces through the existing "while you were away" card; plus an advise_now
  tool so you can pull on demand ("Lisa, what's going on with my agents?").

Dispatch + Coordinate — she can put agents to work

• dispatch_agent launches another CLI agent headlessly (claude -p,
  codex exec, opencode run, aider --message --yes), detached and tracked
  via the hub. The task is passed as a single argument (no shell-injection
  surface). Spawning an autonomous process requires approval.
• Same-cwd conflict guard: dispatch refuses to launch into a directory
  another agent is already working in (override with force) — preventing the
  #1 multi-agent failure mode at the source.

Under the hood

• Test suite grew to 164 passing (was 130 at v0.3.1): integration registry,
  hub, Tier-2 activity + privacy, advisor detectors/engine, Codex parser,
  dispatch argv safety.
• Still zero new runtime dependencies.

Upgrade

npm install -g @oratis/lisa            # 0.4.0
# or
brew update && brew upgrade lisa
# or grab the signed + notarized Lisa-Suite-v0.4.0.dmg below

Enable extra agents (Codex, etc.) by creating ~/.lisa/agents.json:

{ "integrations": { "claude-code": { "enabled": true }, "codex": { "enabled": true } },
  "visibility": "activity" }

Lisa v0.3.1

What's new in v0.3.1

A hardening release. Following a full product/code review
(docs/PRODUCT_REVIEW_v0.3.md), the project went from zero automated
tests to a 114-test regression net with a CI gate, and four real
security/correctness holes were closed. No new features — this is about
making the v0.3.0 surface trustworthy.

Tests + CI (0 → 114)

• New test harness using Node's built-in node:test via the existing tsx
  loader — zero new dependencies (consistent with the project's
  5-runtime/4-dev-dep ethos). Run with npm test.
• New .github/workflows/ci.yml gates every push and PR on
  typecheck → tests → build. The release workflows were build-only, so the
  net now actually blocks regressions.
• Test files are excluded from dist/ (don't ship in the npm tarball).

Security fixes

• SSRF redirect bypass closed (web_fetch) — the private-IP check ran only
  on the initial URL, so a public URL could 302 → http://127.0.0.1:8000
  (or the cloud metadata IP 169.254.169.254) and be followed into internal
  services. Redirects are now followed manually with every hop re-validated,
  capped at 5.
• AppleScript injection closed (iMessage) — outbound text was interpolated
  into the AppleScript source with only quote-escaping, so a newline or a
  crafted " & (do shell script "…") payload could inject script. Inbound
  iMessage text is untrusted (anyone who can text you), so this was real. Text
  now passes as positional argv and is never parsed as source.
• Path traversal blocked (soul slugs) — value/opinion/desire/journal/
  relationship slugs are validated at the single path chokepoint; ../,
  separators, control chars, and leading dots are rejected before becoming a
  file path.

Concurrency & cost

• Cross-process soul write lock — LISA runs as several processes against
  the same ~/.lisa/soul/ (web server, CLI, the launchd/cron heartbeat + idle
  runners). Desire-progress appends (read-modify-write) now run under an
  advisory file lock, so a heartbeat can't interleave with a chat turn and lose
  data. Self-heals from a crashed holder via a staleness timeout.
• Heartbeat token budget + run-lock — heartbeat.json gains budgetTokens
  (default 500k): once a run crosses the ceiling, remaining tasks are skipped
  (logged, not dropped), bounding runaway autonomous cost. A run-lock skips
  overlapping ticks instead of double-running.

Correctness & performance

• Continuous emotion decay — decay now applies on write (soul_feel) and in
  soul_read, not just the system-prompt view, so intensities no longer jump
  discontinuously after an offline gap; and decay no longer silently drops the
  emotion event trail.
• Memory index cache — the TF-IDF index is cached and rebuilt only when the
  sessions directory changes (mtime+size fingerprint), instead of on every
  memory_search call.

Mac surface polish

• Menu-bar face icon (Lisa.app) — the bare ○ text item is now the Lisa
  face (round-masked, desaturated when the backend is offline). Left-click opens
  a live popover (mood · currently-wanting · Claude Code summary · Open /
  Refresh); right-click / ⌘-click jumps straight to the window.
• Scrollable island expand panel — the Dynamic-Island widget's expand panel
  now scrolls instead of clipping its content off the bottom when there's a long
  reflection plus many active Claude sessions.

Upgrade

npm install -g @oratis/lisa            # 0.3.1
# or
brew update && brew upgrade lisa
# or grab the signed + notarized Lisa-Suite-v0.3.1.dmg below