Skip to content

Releases: Coding-Dev-Tools/engraphis

Engraphis 0.9.9

Choose a tag to compare

@github-actions github-actions released this 18 Jul 22:24

Full Changelog: v0.9.8...v0.9.9

Engraphis 0.9.8

Choose a tag to compare

@Coding-Dev-Tools Coding-Dev-Tools released this 18 Jul 18:28

Hardening release focused on dependable installation, upgrades, startup, dashboard use,
and safe hosted deployment.

Security

  • The relay's team-trial magic link is built from ENGRAPHIS_RELAY_PUBLIC_URL instead of
    the request Host header, so a forged header can no longer aim a trial email at an
    attacker's origin. Issuer/vendor relays that offer trials must set this variable
    trial signup returns 503 until they do, before any state is written. Customer-operated
    sync relays remain clients of the managed issuer and do not set vendor secrets.
  • The vendor-admin fallback to ENGRAPHIS_API_TOKEN is removed. A relay that never set
    ENGRAPHIS_VENDOR_ADMIN_TOKEN now fails closed on /license/v1 administration instead
    of accepting the per-instance service token.
  • Relay bundle storage is capped per account as well as per workspace
    (ENGRAPHIS_RELAY_MAX_ACCOUNT_BYTES, default 2 GiB;
    ENGRAPHIS_RELAY_MAX_WORKSPACES_PER_ACCOUNT, default 64), closing an unbounded-growth
    path available to a single authenticated key.
  • /license/v1/register and /license/v1/team-invite share one per-IP burst budget
    (ENGRAPHIS_REGISTER_RATE_PER_MINUTE, default 60) and run their Ed25519 verification in
    a worker thread. Both routes verify caller-supplied keys, so the budget is deliberately
    shared: alternating between them buys no extra work.
  • Every entrypoint sends baseline response headers — CSP, X-Frame-Options: DENY,
    X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS over HTTPS
    only. Override with ENGRAPHIS_CSP / ENGRAPHIS_HSTS; set either to an empty string to
    omit that header where a fronting proxy supplies its own.
  • A fresh deployment with no admin account, no paid license, and no API token refuses
    remote /api calls with 403 while still serving loopback and safe license discovery.
    Hosted trial creation and remote first-admin setup require the deployment API token,
    preventing trial-consumption denial of service and an account-takeover race.
  • Loopback/bootstrap trust now rejects all common forwarding metadata, including
    X-Forwarded-Proto; a same-host TLS proxy can no longer make an internet request
    look like an unproxied local setup request.
  • Inspector first-admin setup now uses the auth store's atomic empty-database gate, so
    concurrent different-email requests cannot both create administrators.

Added

  • MCP clients now receive canonical recall, session, durable-memory, and handoff guidance
    through the server's initialization instructions.
  • The dashboard exposes a small /api service index, and the graph CLI documents its
    public commands without showing the internal merge-driver command.
  • Regression coverage now exercises the sqlite-vec backend, workspace-aware entity recall,
    installed database migration, encryption packaging, CLI startup, update paths, and release
    artifacts.

Changed

  • Installed builds now keep the default database in the platform user-data directory.
    Existing package-directory databases are copied with SQLite's backup API, validated, and
    preserved as recovery copies; source checkouts retain their repository-local default.
  • engraphis-update discovers the highest stable SemVer tag, validates explicit versions,
    fails closed on fetch errors, refuses dirty editable worktrees, and keeps pip, pipx, Git,
    and documents the source-rebuild path for locally built Docker images.
  • Dashboard styling and navigation were reworked with five selectable themes, responsive
    mobile behavior, semantic landmarks, improved keyboard focus, clearer confirmations, and
    fully self-hosted browser assets.
  • Console launchers now validate arguments before optional imports, report actionable startup
    failures, display reachable IPv4/IPv6 URLs and resolved database paths, and advertise the
    current dashboard and API routes.
  • Optional-dependency bounds and extras were refreshed. The cross-platform all extra no
    longer pulls the platform-limited SQLCipher driver, while encryption continues to fail
    closed when no compatible driver is available.
  • The release workflow now pins actions by commit, runs the full test/evaluation and package
    validation gates, matches release tags to package versions, and reserves publishing for
    validated tag pushes. Bundled browser-library license notices are included in distributions.
  • Installation, hosting, sync, graph-query, MCP tool-count, and database-location guidance was
    synchronized with the current commands and runtime behavior.

Fixed

  • Installed engraphis-init configuration is now loaded from the current directory's
    .env without parent traversal, while explicit environment variables retain precedence.
    Upgrading no longer opens a fresh platform-default database instead of the database the
    user selected through engraphis-init.
  • A failed dashboard memory-detail request can no longer retain a prior memory identity or
    leave write controls enabled, preventing a later Save from modifying the wrong memory.
  • A fresh hosted deployment now renders an actionable, non-data bootstrap screen when remote
    API access is denied by default; it offers the safe Team-trial path or deployment-variable
    setup without exposing account-wide license activation to a signed-out browser.
  • Dashboard, REST, Inspector, MCP, licensing, sync, billing, and provider failures now return
    bounded user-facing messages rather than raw exceptions or upstream response bodies.
  • Trusted-proxy handling now evaluates the rightmost forwarded hop, supports exact/CIDR
    allow-lists, and prevents untrusted forwarding headers from changing URLs or secure-cookie
    decisions. Interactive API documentation is disabled on user-facing servers by default.
  • Dashboard handlers now read memory, workspace, member, and token identifiers from escaped
    data-* attributes instead of interpolating untrusted values into inline JavaScript.
  • Repository-graph JSON output now escapes non-ASCII labels so Windows console encodings do
    not turn successful impact, prs, or query commands into exit-code 2 failures.
  • A server-only installation now includes the multipart parser required by dashboard import
    routes instead of depending on the unrelated MCP extra to provide it transitively.
  • engraphis-mcp --help works without importing the optional MCP stack; server-only and
    explicitly offline configurations no longer emit misleading missing-dependency warnings.
  • Dashboard and legacy-server launch failures retain database recovery details instead of
    collapsing them into generic errors, and invalid port values are rejected cleanly.
  • SQLite vector selection is now tested in both accelerated and offline-fallback modes, while
    memory writes remain durable and audited if an index update fails.
  • The zero-configuration Compose dashboard now admits its Docker host bridge while both
    published ports remain loopback-only; widening a port requires an API token.
  • Git-installed updates retain their recorded PEP 610 remote, and failed editable updates
    restore the original branch without exposing a Python traceback.
  • Customer-operated sync relays are separated from the managed license/trial/invite service,
    and the sample .env no longer overrides installed database defaults with a relative path.
  • MCP end-of-session guidance again represents completed work with an empty unresolved list
    instead of persisting a fake open thread.

Engraphis 0.9.6

Choose a tag to compare

@Coding-Dev-Tools Coding-Dev-Tools released this 16 Jul 11:14
b51b44c

What's Changed

Full Changelog: v0.9.5...v0.9.6