v1.9.5

March 2026

Fixes

• Epic→Task navigation crash — statusLabel()/priorityLabel() threw Cannot read properties of undefined (reading 'toUpperCase') when task relations (blockedBy, blocks, related) lacked status field. Server now returns status for all relation types; UI guards against undefined
• Epic→Task breadcrumbs — navigating from epic to task now passes ?from=epic&epicId= so breadcrumbs show full path: Tasks → Epics → Epic Name → Task

Improved

• Inline status/priority editing — task detail view replaces "Move to" dropdown with badge-style select (matching list view); epic detail view now has inline status and priority selects
• Inline assignee editing — task detail view shows assignee as a select dropdown (like epic field), visible even when unassigned
• Board column height — all board columns now stretch to match the tallest column, making drag & drop into empty columns easy
• Full-width selects — Epic and Assignee selects on task detail stretch to full width

v1.9.4

March 2026

New

• Per-user author attribution — when authentication is configured, all mutations (create, update, delete, link, attachment) record the authenticated user as author (createdBy/updatedBy) instead of the static config author. Falls back to config author when auth is disabled
• Team from users config — GET /api/projects/:id/team returns users from config when auth is enabled, instead of reading .team/ directory files. .team/ files still used when auth is disabled
• Author in all mirror events — relation and attachment events in events.jsonl now include by field for audit trail

Tests

• 29 new tests — author flow: resolveRequestAuthor, mirror by field, manager author override for Task/Knowledge/Skill managers
• Total: 1947 tests across 55 suites

v1.9.3

March 2026

Fixes

• Epic-task links lost on restart — linkTaskToEpic/unlinkTaskFromEpic used mirrorTaskUpdate instead of mirrorTaskRelation, so belongs_to events were never written to events.jsonl; on restart the relation was replayed without the link and syncRelationsFromFile removed it
• WebSocket false auth redirect — WS reconnect blindly called /api/auth/refresh on every close; when auth is not configured or the server is briefly down, this triggered a redirect to login. Now checks /api/auth/status first and only triggers auth failure when auth is truly required and refresh fails

v1.9.2

March 2026

New

• Tasks tabs navigation — Summary, List, Board, and Epics as tabs within a single Tasks section. Epics moved from top-level nav to Tasks tab at /tasks/epics
• Task Summary dashboard — 6 stat cards (Total, Active, Completed, Overdue, In Review, Unassigned), breakdowns by status/priority, by assignee, by epic with progress bars, recently updated tasks, upcoming & overdue deadlines. All clickable with URL filters
• Epic selector in task forms — single-select epic dropdown in create/edit forms with auto link/unlink on save
• Inline priority editing — pill-badge priority selector on task detail view
• Attachments in edit forms — upload/delete attachments during task, note, and skill editing (previously only on detail view)
• Skills grid layout — 2-column card grid with 3-dot menu (Edit/Delete), matching Knowledge layout
• Epic detail two-column layout — description + tasks list on left, progress bar + properties on right
• Context-aware breadcrumbs — task pages show origin (Board/List) via URL ?from= param, persists through navigation
• Column visibility from URL — /tasks/list?status=review sets visible columns, /tasks/list?group=assignee sets grouping

Fixes

• Board drag & drop rewrite — SortableContext per column with useDroppable, custom collision detection (cards over columns), arrayMove for correct position, live cross-column movement in handleDragOver, WebSocket refresh suppressed during drag
• List drag & drop rewrite — migrated from useDraggable/useDroppable to SortableContext/useSortable with visual row displacement during drag, same arrayMove approach as board
• Docker healthcheck — replaced node -e "fetch(...)" with curl -f (no Node process spawn)
• Duplicate submit buttons — removed redundant Create/Save buttons from PageTopBar on all create/edit pages
• Attachments/relations in main column — moved from sidebar to main content area on task, note, and skill detail views
• Uppercase status/priority labels — consistent uppercase labels across all views (board, list, forms, badges, summary, epics)
• FieldRow vertical layout — label above value with dividers (instead of side-by-side)

Performance

• React.memo on card/row components — SortableTaskCard and SortableTaskRow wrapped in memo
• Stable callback props — extracted inline callbacks to useCallback to prevent unnecessary re-renders
• Team lookup map — replaced team.find() (O(n)) with Map<id, TeamMember> (O(1)) per card render
• Memoized activeTask — useMemo instead of .find() on every render

v1.9.1

March 2026

New

• Pino structured logging — replaced all process.stderr.write calls with Pino logger. Pretty output by default, LOG_JSON=1 for production. Configurable via --log-level flag (fatal/error/warn/info/debug/trace). Removed --debug flag
• Task list grouping — group tasks by any field: status, priority, assignee, tag, epic, or flat view. Drag-and-drop between groups changes the field value. Grouping preference saved in local storage
• Unified filter system — reusable useFilters hook, FilterControl select wrapper, and FilterChip components. Active filters shown as removable chips below controls. Migrated Tasks (board + list) and Epics pages
• WebSocket connection indicator — colored dot inside the Connect button shows real-time connection state (green = connected, yellow pulsing = reconnecting, red = disconnected)
• Sidebar colorization — each navigation item has a unique icon color (VS Code palette). Tasks moved to 2nd position in nav order
• Epics — full epic management: backend, REST API, 8 MCP tools, UI pages (list, detail, create, edit), task↔epic linking, progress tracking, filters
• Bulk task operations — MCP tools for bulk move, priority change, and delete
• Task board — kanban with @dnd-kit drag-and-drop, column visibility chips, inline creation, quick actions
• Task list view — table with sorting, bulk selection, DnD reordering, status toggle chips
• Backup CLI command — graphmemory backup exports graph data and mirror files to tar.gz
• Pagination — offset-based pagination on all list endpoints and UI pages
• Quick create dialog — two-column layout with description, "Create & New" button
• AI Prompt Builder — generate optimized system prompts with 14 scenarios, 8 roles, 6 styles, per-tool priority control
• File attachments — support attachments during entity creation (tasks, notes, skills)
• Two-column layouts — detail pages (content 65% / sidebar 35%) and create/edit forms
• Parse-duration — human-readable time strings for config values (e.g. 30d, 15m)
• VS Code deep links — vscode:// links for files in code/docs graphs

Fixes

• Missing WebSocket events — added epic:created/updated/deleted/linked/unlinked and task:reordered to WS broadcast (were emitted but never sent to clients)
• BM25 Unicode support — tokenizer now handles Cyrillic, CJK, Arabic, and other scripts
• Graph version migration — preserve user data (knowledge, tasks, skills) on version/embedding config change instead of discarding
• WebSocket access control — broadcast filters events by user access level
• Security — reject anonymous requests when users configured, rate limit OAuth endpoint, timing-safe PKCE, Docker non-root user + healthcheck
• Dependency vulnerabilities — resolved 5 npm audit issues
• Mutation queue drain — drain queue before saving on shutdown
• Event emission — emit events for relation create/delete operations

Tests

• WebSocket server tests (connect, broadcast, events, auth, debounce, filtering)
• MCP epic CRUD tests, bulk task tests
• BM25 Unicode, graph migration, version conflict, relation events
• Mirror-watcher, file-import, events-log, team, promise-queue tests
• Total: 1918 tests across 54 suites

v1.8.2

March 2026

Fixes

• Session expiry — 403 instead of 401 — access cookie maxAge now matches refresh token TTL so the browser delivers expired JWT cookies to the server; auth middleware returns 401 (triggering client-side refresh) instead of falling through to anonymous 403
• Client-side session refresh — checkAuthStatus(), file uploads, attachment images/downloads, and WebSocket reconnect all handle 401→refresh→retry; previously only request() wrapper did
• WebSocket reconnect on server restart — WS reconnect now distinguishes network errors (server down → exponential backoff retry) from auth rejection (→ redirect to login); previously any failure kicked to login
• CLI password input visibility — users add command no longer echoes password to terminal

v1.8.1

March 2026

Fixes

• ACL enforcement on project/workspace listing — GET /api/projects now hides projects where the user has no read access to any graph; previously all projects were returned to all users
• ACL enforcement on stats endpoints — GET /api/projects/:id/stats returns null for graphs the user cannot read; GET /api/projects stats zeroed for denied graphs
• Workspace listing filtered by access — GET /api/workspaces only returns workspaces (and projects within) that the user can access
• Concurrent token refresh deduplication — multiple parallel 401 responses now share a single refresh request instead of firing one per failed call
• UI respects graph access — navigation sidebar, dashboard stat cards, and Recent Notes/Tasks sections hidden for denied graphs

v1.8.0

March 2026

New

• OAuth config section — dedicated server.oauth config with enabled, accessTokenTtl, refreshTokenTtl, and authCodeTtl fields
• Per-model embedding cache — cache factory supports per-model namespacing for multi-model setups

Fixes

• Cross-graph link deletion from mirror side now works correctly; proxy nodes excluded from graph stats
• OAuth token endpoint moved to /api/oauth/token for consistency with all other OAuth endpoints
• Security hardening — path traversal, input validation, headers, error message disclosure

Docs

• Comprehensive documentation audit — synced all docs, site, UI help, and changelog with actual code
• Changelog rewritten in compact user-facing format, trimmed to v1.5.0+

v1.7.1

Full Changelog: v1.7.0...v1.7.1

v1.7.0

Released: March 2026

Highlights

• Full OAuth 2.0 support — both client_credentials and Authorization Code + PKCE (S256) grant types. AI chat clients (Claude.ai, etc.) authenticate via the browser-based consent flow; programmatic clients use client credentials. Discovery at GET /.well-known/oauth-authorization-server.
• Frontend auth pages — consent page at /ui/auth/authorize (shows requesting service hostname, inline login if needed), standalone login page at /ui/auth/signin with returnUrl redirect.
• Redis backend — optional Redis support (server.redis) for session store (auth codes, OAuth sessions) and embedding cache. Enables horizontal scaling and survives server restarts. In-memory fallback when disabled.
• Tool naming consistency — all 58 MCP tools audited and renamed to consistent graph_verb_noun prefixes. Parameter names, defaults, and descriptions aligned across MCP tools and REST endpoints.

New Endpoints

• GET /.well-known/oauth-authorization-server — RFC 8414 OAuth discovery metadata
• POST /api/oauth/authorize — issue authorization code (JSON request/response)
• POST /oauth/token — token exchange for client_credentials, authorization_code, and refresh_token grants
• GET /api/oauth/userinfo — returns { sub, name, email } from Bearer token
• POST /api/oauth/introspect — RFC 7662 token introspection
• POST /api/oauth/revoke — RFC 7009 token revocation
• POST /api/oauth/end-session — session termination

OAuth

• oauth_refresh JWT type — refresh tokens are self-contained signed JWTs with type: "oauth_refresh", separate from UI refresh type. Only accepted at POST /oauth/token.
• Atomic auth code exchange — SessionStore.getAndDelete() prevents TOCTOU race conditions on single-use authorization codes.
• PKCE S256 — code challenge verification required for all Authorization Code flows.
• Open redirect protection — returnUrl on /ui/auth/signin validated to allow only relative paths.

Security

• Auth before project lookup — MCP handler checks authentication before resolving the project, preventing project ID enumeration
• WWW-Authenticate: Bearer on 401 — RFC 6750 header on all MCP 401 responses
• Express trust proxy — X-Forwarded-For and X-Forwarded-Proto correctly trusted behind reverse proxies

Configuration

• New server.redis section: enabled, url, prefix, embeddingCacheTtl
• Docker Compose includes Redis service with healthcheck
• include field accepts YAML array in addition to single glob string

Fixes

• Cleaner MCP responses — internal fields (fileEmbedding, pendingLinks, pendingImports, pendingEdges, version), null values, and empty arrays stripped
• docs_get_node — removed fileEmbedding, pendingLinks, mtime from response
• code_get_symbol — removed fileEmbedding, pendingImports, pendingEdges from response
• notes_get, tasks_get, skills_get — removed version; null fields and empty arrays stripped

Tests

• 1700 tests across 44 suites
• Full OAuth endpoint coverage: discovery, authorize, token (all 3 grants), userinfo, introspect, revoke, end-session
• Session store unit tests (Memory + Redis mock)
• Embedding cache unit tests (Memory LRU + Redis mock)

Documentation

• Updated all auth docs: docs/authentication.md, docs/security.md, docs/api-rest.md, docs/configuration.md
• Updated site docs: security/authentication.md, guides/mcp-clients.md, getting-started/configuration.md
• Updated README.md with OAuth and Redis overview
• Updated docs/docker.md with Redis compose example