← All releases

v2026.4.9

April 9, 2026 · View on GitHub

Dreaming: REM backfill & diaryproviderAuthAliasesSecurity: browser, dotenv, node execAndroid pairing & Matrix stability

What's new for you

Dreaming: grounded REM backfill with `rem-harness --path`, diary timeline, and promotion integration; Control UI diary/Scene improvements; provider `providerAuthAliases` in manifests; iOS CalVer pinning workflow; security fixes for browser SSRF after interactions, dotenv hardening, sanitized node exec events, and safer plugin onboarding auth collisions.

  • Memory/dreaming — REM backfill, diary commit/reset, grounded Scene lane
  • Plugins — provider manifests can declare `providerAuthAliases` for shared env and auth profiles
  • Security — SSRF re-checks after browser interactions; block risky env from workspace `.env`
  • Android pairing — clearer QR recovery; Matrix gateway no longer crashes on sync failure

Release highlights

FeatureDetails
Dreaming REM backfillGrounded REM backfill with historical rem-harness --path, structured diary views, commit/reset flows, and promotion integration so older daily notes can replay into Dreams without a second memory stack.
providerAuthAliasesProvider manifests can declare providerAuthAliases so variants share env vars, auth profiles, API-key onboarding, and config-backed auth without duplicating secrets per model id.
Security: browser, dotenv & node execBrowser SSRF guards re-run after interaction-driven navigations; workspace .env files cannot inject runtime-control keys; remote node exec summaries are sanitized so untrusted text cannot masquerade as trusted system events.
Android pairing & Matrix gatewayAndroid clears stale setup auth on new QR scans and preserves device tokens after bootstrap. Matrix waits for sync readiness before marking startup successful and routes fatal sync stops through channel restart instead of crashing the gateway.

Feature deep dives

Learn more about the changes that matter most. Bug fixes and minor improvements are listed on GitHub.

Dreaming: REM backfill & diary

Historical rem-harness paths, diary navigation, grounded Scene lane, and safer clear-grounded actions.

Read more →

providerAuthAliases

Manifest-driven sharing of env vars, auth profiles, and API-key choices across provider variants.

Read more →

Security: browser, dotenv, node exec

SSRF after clicks; workspace .env restrictions; sanitized node exec summaries as untrusted system events.

Read more →

Android pairing & Matrix stability

Fresh QR bootstrap and device tokens; Matrix waits for sync before marking startup OK.

Read more →

Full release notes

The complete changelog with all changes, fixes, and technical details is on the official GitHub release page.

Open v2026.4.9 on GitHub →