v1.1.0

v1.1.0

Breaking Changes

• Node.js ≥ 22 required — ESM-only dependencies no longer support Node 20
• Package renamed to @graphmemory/server
• Docker image renamed to ghcr.io/graph-memory/graphmemory-server
• Config restructured (no backward compat with v1.0.x):
  • docsPattern / codePattern removed → use graphs.docs.include / graphs.code.include
  • pattern renamed to include, excludePattern renamed to exclude
  • embedding split into two sections: model (model-specific) + embedding (operational)
  • embedMaxChars / maxTokensDefault removed → use embedding.maxChars

Features

Authentication & Access Control

• User management with API key authentication (Authorization: Bearer <apiKey>)
• Password login with scrypt hashing + JWT cookies for Web UI
• Per-graph ACL with hierarchical resolution: graph → project → workspace → server → defaultAccess
• Access levels: deny | r | rw
• CLI: graphmemory users add for interactive user creation

Team & Task Assignment

• Team directory via .team/*.md files (name, email per member)
• Task assignee field — assign, filter, display on kanban cards
• Assignee dropdown in task create/edit populated from team directory

Embedding API

• POST /api/embed — expose server's embedding model over HTTP for other instances
• Configurable limits: embeddingApi.maxTexts (default 100), embeddingApi.maxTextChars (default 10000)
• Separate auth via embeddingApi.apiKey
• Remote embedding client — use another server's model instead of loading locally:

  embedding:
    remote: "http://gpu-server:3000/api/embed"
    remoteApiKey: "key"

Config Restructuring

• Model config — whole object taken from first level that defines it (no field merging):

  server:
    model:
      name: "Xenova/bge-m3"
      pooling: cls
      normalize: true

• Embedding config — each field individually inherits up the chain (graph → project → workspace → server):

  server:
    embedding:
      batchSize: 1
      maxChars: 8000
      cacheSize: 10000

• Accumulating excludes — all levels merge (server + workspace + project + graph):

  server:
    exclude: "**/node_modules/**,**/dist/**"   # default
  projects:
    my-app:
      exclude: "**/coverage/**"                 # added on top
      graphs:
        docs:
          exclude: "**/drafts/**"               # added on top of that

• Max file size — configurable at server / workspace / project level (default 1 MB)
• Rate limiting — configurable per IP:

  server:
    rateLimit:
      global: 600   # all /api/* — req/min per IP
      search: 120   # search + embed endpoints
      auth: 10      # login endpoint

Access-Aware UI

• Hide create/edit/delete controls in read-only mode
• Hide disabled graphs from sidebar
• Login page for password-based auth

Code Parsing Engine

• Replaced ts-morph with tree-sitter (web-tree-sitter WASM)
• Faster parsing, no native binary dependencies
• Supports TS / JS / TSX / JSX, cross-platform CI compatible

Security Fixes

• Path traversal — fixed startsWith() string prefix matching → proper path.relative() check
• ACL on graph export — /api/projects/:projectId/graph now enforces per-graph read access
• ACL on tools router — /api/projects/:projectId/tools/:toolName/call enforces read/write by tool type
• YAML billion laughs — frontmatter parser limited to maxAliasCount: 10
• JWT TTL validation — reject zero/negative TTL values
• Filename sanitization — guard against empty result after sanitization in writeAttachment()
• WebSocket error handlers — prevent silent connection leaks on send failures
• Timing-safe comparison for all API key checks

Bug Fixes

• Hybrid search fusion — RRF no longer drops documents with low vector scores; all results included in fusion
• Multi-project proxy cleanup — filter by projectId to prevent deleting other projects' proxies in workspace mode
• Retroactive cross-file edges — deferred links and imports resolved after indexer drain
• Atomic mirror writes — write to temp file + rename to prevent corruption on crash
• Remote embedder retry — 3 attempts with exponential backoff for 5xx and network errors
• LRU embedding cache — configurable cacheSize (default 10,000), avoids re-computing identical texts
• Default maxChars raised from 2,000 to 8,000 (matches BGE-M3's 8,192 token context)
• Wiki search depth limit — max 10 levels to prevent stack overflow on deep/cyclic directories
• File size guard — skip files exceeding maxFileSize during indexing with warning
• Validation error details — REST API returns field-level error info instead of generic "Validation error"

Documentation

• Comprehensive docs/ directory (15+ pages covering architecture, configuration, security, Docker, etc.)
• All config examples updated for new format with correct defaults
• claude mcp add --transport http --scope project one-liner in setup guides
• MCP server name standardized to graph-memory across all examples

Stats

• 23 commits, 142 files changed
• ~11,000 insertions, ~4,200 deletions
• 1,240 tests across 28 suites