fix: auth redirect loop after login, update docs — bump to v1.7.1

- signin: use full page reload after login so AuthGate re-checks auth
- AuthGate: only include returnUrl for non-root paths (session expiry)
- README: fix redis config format, OAuth endpoint paths, Docker Compose
- example config: add server.redis section, fix scrypt cost
- CLAUDE.md: update test count

Author: prih

CLAUDE.md

@@ -18,7 +18,7 @@ npm run cli:dev        # tsx src/cli/index.ts (no build needed)
 
 Run tests:
 ```bash
-npm test                               # all tests (1649 tests across 42 suites)
+npm test                               # all tests (1700 tests across 44 suites)
 npm test -- --testPathPatterns=search   # specific test file
 npm run test:watch                     # watch mode
 npx tsx src/tests/embedder.test.ts     # real model test (slow, excluded from Jest)

README.md

@@ -91,11 +91,28 @@ services:
       - /path/to/my-app:/data/projects/my-app
       - models:/data/models
     restart: unless-stopped
+    depends_on:
+      redis:
+        condition: service_healthy
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    volumes:
+      - redis-data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
 
 volumes:
   models:
+  redis-data:
 ```
 
+> Redis is optional. Remove the `redis` service and `depends_on` if you don't need shared session store or embedding cache.
+
 See [docs/docker.md](docs/docker.md) for details.
 
 ## What it does
@@ -129,8 +146,8 @@ See [docs/docker.md](docs/docker.md) for details.
 ## Web UI
 
 Dashboard, Knowledge (notes CRUD), Tasks (kanban board with drag-drop), Skills (recipes),
-Docs browser, Files browser, Prompts (AI prompt generator), Search (cross-graph),
-Graph (Cytoscape.js visualization), Tools (MCP explorer), Help.
+Docs browser, Code browser (symbols, edges, source), Files browser, Prompts (AI prompt generator),
+Search (cross-graph), Tools (MCP explorer), Help.
 
 Light/dark theme. Real-time WebSocket updates. Login page when auth is configured.
 
@@ -142,18 +159,20 @@ users:
     name: "Alice"
     email: "alice@example.com"
     apiKey: "mgm-key-abc123"
-    passwordHash: "$scrypt$..."   # generated by: graphmemory users add
+    passwordHash: "$scrypt$65536$..."   # generated by: graphmemory users add
 
 server:
   jwtSecret: "your-secret"
   defaultAccess: rw
-  redis: "redis://localhost:6379"   # optional: session store + embedding cache
+  redis:                              # optional: session store + embedding cache
+    enabled: true
+    url: "redis://localhost:6379"
 ```
 
 - **UI login**: email + password → JWT cookies (httpOnly, SameSite=Strict)
 - **API access**: `Authorization: Bearer <apiKey>`
 - **OAuth 2.0**: Authorization Code + PKCE (S256) with frontend consent page at `/ui/auth/authorize`; also supports client credentials and refresh tokens
-- **OAuth endpoints**: `/oauth/userinfo`, `/oauth/introspect`, `/oauth/revoke`, `/oauth/end-session`
+- **OAuth endpoints**: `/api/oauth/userinfo`, `/api/oauth/introspect`, `/api/oauth/revoke`, `/api/oauth/end-session`
 - **ACL**: graph > project > workspace > server > defaultAccess (`deny` / `r` / `rw`)
 - **Redis** (optional): when `server.redis` is configured, used for OAuth session store and embedding cache
 
@@ -164,7 +183,7 @@ See [docs/authentication.md](docs/authentication.md).
 ```bash
 npm run dev              # tsc --watch (backend)
 cd ui && npm run dev     # Vite on :5173, proxies /api → :3000
-npm test                 # 1649 tests across 42 suites
+npm test                 # 1700 tests across 44 suites
 ```
 
 ## Documentation

graph-memory.yaml.example

@@ -24,12 +24,12 @@
 #     name: "Alice"
 #     email: "alice@example.com"
 #     apiKey: "mgm-key-abc123"
-#     passwordHash: "$scrypt$16384$8$1$salt$hash"   # generated by CLI
+#     passwordHash: "$scrypt$65536$8$1$salt$hash"   # generated by CLI
 #   bob:
 #     name: "Bob"
 #     email: "bob@example.com"
 #     apiKey: "mgm-key-def456"
-#     passwordHash: "$scrypt$16384$8$1$salt$hash"
+#     passwordHash: "$scrypt$65536$8$1$salt$hash"
 
 # ---------------------------------------------------------------------------
 # Server settings (shared across all projects)
@@ -53,6 +53,14 @@ server:
   # maxFileSize: 1048576                        # Max file size for indexing in bytes (default: 1 MB)
   # exclude: "**/vendor/**"                     # Additional glob to exclude (merged with default: **/node_modules/**, **/dist/**)
 
+  # Redis (optional — session store for OAuth codes/sessions + embedding cache)
+  # Enables horizontal scaling and survives server restarts. In-memory fallback when disabled.
+  # redis:
+  #   enabled: false                             # Set true to enable Redis backend
+  #   url: "redis://localhost:6379"              # Redis connection URL
+  #   prefix: "mgm:"                            # Key prefix for all Redis keys
+  #   embeddingCacheTtl: "30d"                   # TTL for cached embeddings (default: 30d, 0 = no TTL)
+
   # Rate limiting (requests per minute per IP)
   # rateLimit:
   #   global: 600                               # All endpoints (default: 600)

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@graphmemory/server",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "description": "MCP server for semantic graph memory from markdown files",
   "main": "dist/cli/index.js",
   "bin": {

package.json

@@ -1,9 +1,8 @@
 import { useState } from 'react';
-import { useNavigate, useSearchParams } from 'react-router-dom';
+import { useSearchParams } from 'react-router-dom';
 import { Box, Card, CardContent, TextField, Button, Typography, Alert } from '@mui/material';
 
 export default function SignInPage() {
-  const navigate = useNavigate();
   const [searchParams] = useSearchParams();
   // Only allow relative paths to prevent open redirect attacks
   const rawReturn = searchParams.get('returnUrl') || '/';
@@ -27,7 +26,9 @@ export default function SignInPage() {
         body: JSON.stringify({ email: email.trim(), password }),
       });
       if (res.ok) {
-        navigate(returnUrl, { replace: true });
+        // Full page reload so AuthGate re-checks auth from scratch
+        window.location.href = '/ui' + returnUrl;
+        return;
       } else {
         const body = await res.json().catch(() => ({ error: 'Login failed' }));
         setError(body.error || 'Login failed');

ui/src/pages/auth/signin.tsx

@@ -44,6 +44,12 @@ export default function AuthGate({ children }: { children: ReactNode }) {
   }
 
   if (state === 'login') {
+    // Only include returnUrl when user was on a meaningful page (session expired mid-use).
+    // For root/initial visits, no returnUrl needed — signin defaults to '/'.
+    const isRoot = location.pathname === '/' && !location.search;
+    if (isRoot) {
+      return <Navigate to="/auth/signin" replace />;
+    }
     const returnUrl = `${location.pathname}${location.search}`;
     return <Navigate to={`/auth/signin?returnUrl=${encodeURIComponent(returnUrl)}`} replace />;
   }