Skip to content

v1.3.0

Choose a tag to compare

View all tags
@prih prih released this 21 Mar 16:02
· 236 commits to main since this release
v1.3.0
01c5977

Release Notes — v1.3.0

Date: 2026-03-21
Previous release: v1.2.0 (2026-03-19)
Commits: 21
Changes: 186 files changed, 11,054 insertions, 1,223 deletions
Tests: 1,507 tests across 36 suites (all passing)

Highlights

MCP Authentication & Per-User Access Control

MCP endpoints were previously open to anyone who knew the URL. Now:

  • API key authentication on MCP session creation (Authorization: Bearer <apiKey>)
  • If users are configured, a valid API key is required; otherwise backward-compatible (no auth)
  • Per-user tool visibility — mutation tools are hidden from users with read-only access (r) on a graph
  • Users with deny access don't see the graph's tools at all
  • Timing-safe API key comparison (reuses existing resolveUserFromApiKey)

Per-Graph Readonly Mode

New readonly: boolean option in graph config:

projects:
  my-project:
    graphs:
      knowledge:
        readonly: true   # searchable, but all mutation tools hidden
  • Mutation MCP tools not registered (clients don't see them)
  • REST mutations return 403 Forbidden
  • File mirror (.notes/, .tasks/, .skills/) skips readonly graphs
  • Tools explorer respects readonly (defense-in-depth)
  • Readonly overrides per-user rw access — it's a graph-level lock

Mega Prompt Builder

New UI feature — Simple and Advanced modes for generating AI prompts from project context:

  • Simple mode: quick prompt generation from selected context
  • Advanced mode: tab-based UI with granular content selection, code/docs sources, and preview
  • Content audit and quality improvements

Connect MCP Dialog

New "Connect" button in the UI header:

  • Config snippets for .mcp.json, Claude CLI, Cursor, and Windsurf
  • Auto-detects and pre-fills API key when auth is enabled
  • Copy-to-clipboard for each config variant

Code Parser — 6-Phase Audit

Deep audit of tree-sitter code parsing and related systems:

  1. Phase 1: Fix TSX grammar loading, WASM memory leak, symbol extraction accuracy
  2. Phase 2: Graph structure, indexer robustness, import resolution improvements
  3. Phase 3: Search quality — symbol matching, includeBody support
  4. Phase 4: Docs link extraction, wiki-link caching
  5. Phase 5: Persistence safety, embedding vector compression, stop words
  6. Phase 6: Embedder test fixes, search quality end-to-end tests

UI Bundle Optimization

  • Vendor code splitting via Vite manualChunks — react, mui, mui-icons, markdown, md-editor, graph
  • Lazy loading of @uiw/react-md-editor (~679 kB) via React.lazy
  • Initial bundle reduced from 1,942 kB to ~653 kB

Security

  • MCP auth: Bearer API key required when users are configured
  • Readonly enforcement: mutation tools hidden from MCP, 403 on REST, mirror watcher skipped
  • Security hardening: input validation, safe graph operations (full project audit)
  • License change: ISC → Elastic License 2.0 (ELv2) — source-available, self-hosting allowed, managed service prohibited

Server Startup

  • HTTP server now starts after all initialization and indexing completes
  • Startup banner shows all project/workspace MCP endpoints when ready

Testing

  • +267 new tests (1,240 → 1,507)
  • REST API coverage: all 70 endpoints tested
  • MCP auth tests (config parsing, readonly, user access)
  • MCP readonly tests (tool visibility, canAccess/canMutate)
  • REST readonly tests (403 on mutations, 200 on reads)
  • Code parser, docs, graphs, search — comprehensive coverage
  • Search quality end-to-end tests

Documentation

Updated docs across the board:

  • configuration.md — readonly mode, examples
  • authentication.md — MCP auth section, per-user tool visibility
  • api-mcp.md — auth requirements, readonly tool hiding
  • api-rest.md — readonly in project list response
  • security.md — MCP auth, readonly as defense-in-depth
  • testing.md — updated test counts and patterns
  • npm-package.md — license update
  • UI help guides — readonly mentions in knowledge, task, skill tool docs

Community

  • CONTRIBUTING.md — development workflow, project structure, test patterns, guidelines
  • CODE_OF_CONDUCT.md — Contributor Covenant 2.1
  • SECURITY.md — vulnerability reporting policy (GitHub Security Advisories + email)

Breaking Changes

  • License: Changed from ISC to Elastic License 2.0. Self-hosting and modification are permitted; offering as a managed/hosted service is not.
  • MCP auth: If users are configured in graph-memory.yaml, MCP clients now require Authorization: Bearer <apiKey> header. Existing setups without users are unaffected.

Upgrade Notes

  1. Update MCP client configs to include API key header if auth is enabled
  2. Review graph configs — add readonly: true to graphs that should be read-only
  3. Review license terms if distributing or hosting the software
Assets 2
Loading