One Workbench, Many Backends: Why the Tool Surface Should Outlive the Model
Swapping the model is the cheap part We made the case last week that a model you depend on can vanish on a timeline you …
What shipped
Calliope CLI is the multi-model agent terminal in the Calliope Workbench. It runs commands, edits files, calls tools, and talks to whichever model you point it at. Version 2.5.0 is the largest hardening release it has had. We reviewed the whole codebase , fixed what the review surfaced, upgraded the supply chain, and repaired the release pipeline so the fixes can actually reach the people running it. That last one matters more than it sounds, and it comes up at the end.
Install or update:
npm install -g @calliopelabs/cli
Here is everything in the release.
Models: discovery instead of assertion
The CLI used to ship a hardcoded list of model identifiers. That list went stale the way hardcoded lists always do. One model had already been retired by its provider and was returning errors, and others were days from the same fate. Asserting which models exist is a losing game when the providers change them on their own schedule.
- Live model discovery. The CLI now pulls the available models and their capabilities from each provider’s API at runtime, with a small, clearly-labeled fallback for offline use. No more stale identifiers, no more silent 404s.
- Correct context and output limits. Context windows and maximum output are read per model from the provider rather than pinned to one global number, so long-context models stop being throttled to a fraction of their real capacity.
- Adaptive thinking + refusal handling. Requests to models that support it now enable adaptive thinking, and the CLI handles the
refusalstop reason cleanly instead of treating a declined request as an empty success.
Security: eleven fixes
The review’s whole point was the security surface, and it found real issues. The full writeup is in the companion post ; here is the changelog.
- Command-injection fix (RCE). A dynamic-tool path interpolated model-controlled arguments into a shell string. Arguments are now passed as a quoted argument vector and routed through the same execution gates as the normal shell tool.
- Sandbox hardening. Shell execution now runs with the network off by default and reads denied to secret directories (
~/.ssh,~/.aws, and.envfiles) when a sandbox is active.automode is honestly best-effort; a newnativemode fails closed for callers who require enforcement. - Scope and path hardening. Removed a
/tmpescape hatch, added real-path resolution to defeat symlink escapes, and protected the CLI’s own state directory so a tool can’t plant a hook or tamper with trust. - MCP SSRF guard. Outbound MCP connections now block link-local (cloud metadata) and private network ranges by default, while still allowing the local servers people legitimately run.
- Skills path-traversal fix. Installing a skill can no longer write outside the skills directory via a crafted name.
- API server auth. The local API server now authenticates WebSocket upgrades, compares tokens in constant time, and sets request timeouts.
- Trust and confirmation. New project directories are no longer auto-trusted, and unrecognized shell commands now require confirmation instead of running unprompted.
- Hook hardening. Blocking hooks actually block now, and a stuck hook is killed rather than ignored.
Reliability and data integrity
- Atomic writes. Session history, branch state, and checkpoints are written with a temp-file-and-rename so a crash or a second concurrent instance can never truncate your conversation.
- Session deletion that works. Deleting a session from the UI now resolves the right directory instead of silently failing.
- Correctness fixes to checkpoint handling across directory changes, context compaction at the summarize boundary, idle eviction, and parallel tool-error reporting so failures are recorded as failures.
- Streaming fix. The non-streaming path now caps its output request so the upgraded SDK doesn’t reject long generations.
Supply chain and dependencies
- Every known CVE cleared. A dependency audit turned up eleven advisories, two of them critical; all eleven are resolved in this release, and package provenance is verified.
@anthropic-ai/sdk0.39 → 0.104, plus refreshed model and tooling dependencies.
The release pipeline itself
The most consequential fix isn’t in the agent at all. Three consecutive releases had failed to publish to npm, silently, because the failure was buried in a build step nobody watched. The practical effect was that every user had been stuck several versions back, unable to receive any fix even after it was written.
We traced it to a dependency reference that couldn’t resolve in CI, fixed it, and confirmed 2.5.0 actually landed on the registry. A patch nobody can install is a report, not a remediation. This is the one we fixed first.
Get it
npm install -g @calliopelabs/cli
# then
calliope --help
2.5.0 is live on npm now. If you have been running an older build, this is the update that finally reaches you, with live model discovery, the security pass, and a clean dependency tree underneath it.
