realvco Docs

v2026.4.14 — GPT-5.4 Family + Multi-Channel Stabilization

Released: April 14, 2026 Theme: Model compatibility + channel fix batch Breaking Changes: None

Core Highlights

1. gpt-5.4-pro Forward Support

Forward-compat support for the OpenAI Codex gpt-5.4-pro: pricing, usage limits, list/status visibility — all in place before the upstream catalog catches up.

2. Telegram Forum Topics Names

Telegram Forum Topics names now surface in agent context, prompt metadata, and plugin hook metadata, learned from Telegram service messages.

Persisted across restarts: learned topic names go into the sidecar store.

3. Multi-Channel Fixes

  • Slack: interactive buttons and modals enforce allowFrom allowlist to prevent intent bypass
  • Discord: native /status interactions return the real status card instead of synthetic ✅ Done; slash command option buttons get unique action IDs while sharing the listener
  • Microsoft Teams: SSO sign-in invokes enforce sender allowlist checks
  • Telegram: document text handling strips binary caption bytes so .epub and .mobi uploads no longer explode tokens; read-only /status commands bypass busy topic turns; standard commands stay on normal lanes

4. Security Hardening (multiple SSRF / auth patches)

  • Browser SSRF policy restores hostname navigation by default while keeping strict mode reachable
  • Browser snapshot/screenshot/tab routes enforce SSRF policy
  • Media-understanding attachment resolution fails closed when realpath errors out
  • Agents/gateway tool rejects model-driven config.patch/config.apply enabling of dangerous flags
  • Voice-call resolves source IP from trusted forwarding headers for per-IP connection limits
  • redactConfigSnapshot redacts sourceConfig and runtimeConfig alias fields

5. Codex Provider Fixes

  • Codex provider catalog includes apiKey, preventing ModelRegistry from silently dropping all custom models
  • Legacy openai-codex/gpt-5.4-codex alias canonicalized to openai-codex/gpt-5.4
  • Codex CLI auth-file diagnostics moved to the debug logger to keep interactive output clean

6. Local Model / Ollama Fixes

  • Configured embedded-run timeout now flows into the undici stream timeout — slow Ollama runs no longer inherit the default cutoff
  • Ollama OpenAI-compat streams send stream_options.include_usage for real local usage reporting
  • Replaced marked.js with markdown-it (Control UI ReDoS fix)
  • OpenAI-compat verification probes use max_tokens=16 to avoid strict-endpoint rejections

7. Cron / Scheduler Stability

  • Cron stops inventing short retries when next-run calculation returns no valid future slot
  • Error backoff floor preserved on transient failures, no premature recovery
  • PowerShell --tools allowlist parsing fixed on Windows (exec read write no longer becomes one entry)

Upgrade Recommendations

  • GPT-5.4 family users: pro variant ready
  • Telegram Forum Topics users: topic names get remembered by agents
  • Local Ollama / LM Studio users: upgrade to fix timeout and usage reporting
  • Everyone: multiple security patches, recommended upgrade

← v2026.4.12 · v2026.4.15 → · Back to list