Zum Hauptinhalt springen

Changelog

Was ist neu in Tale?

Release Notes zu Tale, neueste zuerst — veröffentlicht aus GitHub Releases.

Quelle: GitHub Releases.

v0.3.3

What's Changed

Auf GitHub ansehen

v0.2.99

What's Changed

Auf GitHub ansehen

v0.2.98

What's Changed

Auf GitHub ansehen

v0.2.96

What's Changed

Auf GitHub ansehen

v0.2.94

What's Changed

Auf GitHub ansehen

v0.2.93

Highlights

Attach images and documents to tasks

Tasks can now carry attachments. Attach images and documents (PDF / Office / CSV / text — no audio or video) when creating a task, and add or remove them from a task's detail view. Up to 10 files per task, validated against an images/documents MIME allow-list, with each storage id verified to belong to your org. Removing an attachment or deleting a task purges the underlying blob. The attachment array is self-described on the task row, so the board and detail views render without an extra join. (#2168)

One-click prompt library

With an empty composer there is nothing to save as a draft, so the bookmark button's dropdown only ever offered "Prompt library". The bookmark now opens the Prompt library dialog directly when the composer is empty — one click instead of two. When the composer has text it is unchanged: the dropdown still offers Save prompt draft plus Prompt library. (#2166)

Fixes

  • Chat — org isolation on switch: Switching organizations with a chat thread open kept rendering the previous org's chat. The by-id thread queries now authorize against the org you are acting in (not the thread's own org), and their query keys are org-scoped so the switch-time cache purge drops them. Tenant isolation was never broken — non-members could not read the data; this fixes context coherence for members of multiple orgs. (#2170)
  • Issue desk — issues now render: The issue desk showed no issues even when untracked GitHub issues existed, because the integration list reader looked for data / pagination at the top level while the connector payload lives under .result. A shared readIntegrationListPage helper now unwraps the envelope (and tolerates a flat payload for forward compatibility). (#2175)
  • Actionable error messages: Convex redacts raw throw new Error(...) to "Server Error" in production, so clients that branched on the message text were silently dead in prod. Expected-failure throws on knowledge/website duplicates, approval and human-input cards, and automation triggers now use ConvexError({ code }) mapped to localized, actionable messages in en/de/fr. (#2172, closes #2056)
  • Project chat list: Task and project discussion threads no longer leak into a project's chat folder — listProjectThreads now applies the shared isHiddenFromChatHistory guard already used by the main chat list. (#2168)

For operators

Both items below are operator-facing but require no data migration. Upgrade as usual — tale upgrade then tale deploy — and compose is regenerated for you.

  • llm-gateway renamed to sandbox-llm-gateway (#2178). The bare name over-claimed scope: in-sandbox coding agents (Claude Code / OpenCode) are its only clients — regular chat calls providers directly from Convex and never touches it. The service, container, image (tale-llm-gatewaytale-sandbox-llm-gateway), build context, and LLM_GATEWAY_* env family are all renamed. Backward compatible for one release: tale upgrade migrates your LLM_GATEWAY_* vars to SANDBOX_LLM_GATEWAY_* in place — the gateway admin password is preserved, never regenerated — and a transitional network alias plus env fallback keep in-flight sandbox sessions resolving across the deploy. The llm-gateway-data volume keeps its name (derived cache, re-provisioned per session). The transitional shims are removed next release.
  • Sandbox drops blue-green for in-place drain (#2179). The sandbox tier becomes a single container reached via the bare sandbox alias, deployed roll-in-place after a drain — exactly like convex. The platform tier keeps its blue-green flip. This removes the deploy-time colour concept from the data layer and fixes a class of "fetch failed" chat turns: after a flip tore down a colour, a chat session pinned to the now-gone sandbox-<colour> host hard-failed its liveness probe forever. The spawnerColor schema fields are kept deprecated-optional, so existing rows still read — no migration this release (a follow-up clears the values and drops the fields).

Full changelog: https://github.com/tale-project/tale/compare/v0.2.92...v0.2.93

Auf GitHub ansehen

v0.2.92

Highlights

Faster sandbox container builds (opt-in)

DinD sandbox sessions used to rebuild every Docker layer from scratch — each session got an ephemeral inner /var/lib/docker. A new shared, persistent BuildKit daemon (sandbox-buildkitd) gives every session on a host one content-addressed build cache, so docker build / docker compose up --build in one session reuses the layers another already built — transparently, with no per-build flags or hardcoded IPs. Build steps stay egress-fenced like the rest of the sandbox. Off by default; enable with SANDBOX_DOCKER_BUILD_CACHE=true (only meaningful with DinD). (#2164)

Issue resolution desk: self-closing and multi-repo

The Issue desk now finishes its own work and is no longer hardcoded to a single repository. Tasks parked at in_review auto-close when their PR is merged out of band (GitHub UI, CI automerge, a teammate) instead of being stranded forever, and each install configures its own target repo. Built as app data plus small generic platform primitives — no per-vertical backend code. (#2153)

Fixes

  • Sandbox / deploy: A tale deploy blue-green flip that left an old colour lingering kept the bare sandbox network alias, so session creates failed with a persistent 503 draining on every retry — not just a transient flip-window race. The flip now revokes the alias from the lingering colour, with a drain-retry on session create. (#2162)
  • Chat attachments: Audio/video files in the 100–200 MB band were wrongly rejected because the per-file gate clamped the media ceiling back down to the 100 MB generic cap; media now uses its own ceiling (the 200 MB total cap and 4-hour duration check remain the real gates). Unsupported types with no configured upload policy now show the correct rejection toast. (#2156)
  • Chat: Thread titles fall back to the user's first message when no title is generated. (#2161)
  • Chat i18n: Resolved-state status badges on approval cards are now translated, and missing chat-panel, canvas, and live-browser keys were added across all locales. (#2157, #2159)
  • Export: Fixed the export-dialog nested-button hydration warning and relabeled the PDF export option. (#2160)
  • Issue desk: Stopped the desk's first page rendering empty. (#2151)
  • Enterprise SSO: Seed the SSO form's select/switch controls with defined defaults. (#2099)
  • Reliability: Log and surface failures that were previously swallowed in empty catch blocks. (#2158)

Developer experience

  • Boot the dockerized dev stack with zero .env config, and forward host env into the docker:dev container. (#2163, #2165)

For operators

Upgrading adds a new optional service image, sandbox-buildkitd. Run tale upgrade then tale deploy as usual — compose is regenerated to include it. The shared build cache is off by default; enable it with SANDBOX_DOCKER_BUILD_CACHE=true (DinD only). No data migration is required.

Full changelog: https://github.com/tale-project/tale/compare/v0.2.91...v0.2.92

Auf GitHub ansehen

v0.2.91

Bug fixes for the Researcher (deep-research) chat experience.

Fixes

  • Researcher chat no longer flickers or gets stuck. Deep-research runs that delegate to the Researcher could crash-loop the chat and leave it stuck on "Thinking" — a delegated sub-thread's live stream returned a payload the chat client couldn't read. Sub-threads are now authorized via their parent thread and stream cleanly, restoring the nested delegation timeline.

  • The research plan stays visible. The live to-do plan could appear and then vanish mid-run once the assistant made its own web/integration calls — an empty integration-tracking record was shadowing the delegate's real plan. The plan now persists and tracks progress through the whole run.

  • The plan-approval gate actually holds. request_human_input (e.g. the Researcher's "confirm plan" card) now hard-stops the turn and waits for your response, instead of being auto-retried straight past into execution.

  • Delegated agents no longer strand an approval. A delegated sub-agent's approval request previously left a pending card that locked the composer with no way to resume it; the gate is now handled by the agent you're talking to.

Full changelog: #2152

Auf GitHub ansehen

v0.2.90

Highlights

Chat & workspace files

  • Unified canvas file viewer. Every file in the workspace canvas now sits under one action card with a single, consistent set of controls — download, a Source / Preview toggle, and line-wrap. The Source/Preview and wrap choices are sticky: pick Preview (or turn on wrapping) on one file and it carries to the next file you open, while any file you've explicitly toggled keeps its own choice. (#2135)
  • "Save as" for workspace files. Downloads honor the real workspace filename for both agent-generated text (code/markdown/svg held in memory) and remote files in storage (images, oversized attachments) — no more saving under a storage UUID.
  • Chat file-panel UX polish across the file panel, viewers, and code rendering. (#2148)

Apps

  • App details page plus assorted platform UI polish fixes. (#2136)

Sandbox — document toolchain baked into the runtime image

Agents running in the sandbox can now convert and render documents out of the box; these OS-level tools are baked into the sandbox-runtime image (they can't arrive via the per-execution uv pip install path): (#2148)

  • LibreOffice (Writer / Calc / Impress) for faithful Office → PDF conversion of .docx / .xlsx / .pptx and xlsx formula recalc.
  • poppler-utils (pdftoppm, pdftotext) for PDF rasterization and text extraction.
  • pandoc for clean .docx → markdown/text extraction.
  • XeTeX (texlive-xetex + latex/fonts-recommended + lmodern) so pandoc --pdf-engine=xelatex produces publication-grade PDFs with a real table of contents, page numbers, headers/footers and a title page — including Chinese documents via texlive-lang-chinese.

Reliability & correctness

  • No more spurious "Index failed" badge on sandbox attachments. Files uploaded to an external-agent (sandbox) conversation are file-staged directly into the sandbox rather than indexed into the knowledge base, so they now skip RAG indexing entirely. (#2141)
  • Agents no longer leak internal <untrusted_source> markers into their replies. These tags are internal-only; agents now extract the facts and cite sources as ordinary markdown links. (#2149)

No database migrations, no new environment variables, and no operator action required to upgrade.

Auf GitHub ansehen

v0.2.89

Patch release on top of v0.2.88. Enterprise SSO/SCIM security hardening, chat attachments for sandboxed agents, and issue-desk PR de-duplication. No data migrations and no required configuration changes.

Highlights

  • Enterprise SSO & SCIM hardening (#2118).

    • Open-redirect protection on the auth flows: a user-influenced redirect target must resolve to a path on our own origin. Absolute, protocol-relative (//host), and backslash-smuggled (/\host) targets are rejected and fall back to a safe default (issue #2037).
    • SCIM active: false now soft-deactivates a user — the IdP's usual de-provisioning signal. The org membership is kept with a disabled role and is fully restored on a later active: true.
    • A hard SCIM DELETE fully deprovisions — subsequent GET/PATCH return 404, per RFC 7644 §3.6.
    • The org owner is protected from SCIM deprovisioning, and duplicate user creation returns 409 Conflict. SCIM group-membership PATCH now applies replace → add → remove deterministically.
  • Chat attachments delivered to sandboxed external agents (#2119). Files attached in chat are now staged for Claude Code / OpenCode agents on the persistent /user volume under /user/uploads — outside the agent's workspace, so uploads never pollute project files — under their real file names (so "summarize report.pdf" just resolves), with read access granted via --add-dir. A per-turn cap guards against abuse.

  • Issue desk reuses an existing PR (#2122). Re-running the desk on an issue that already has an open pull request now updates that PR instead of opening duplicates.

Fixes & polish

  • Settings UX polish (#2126): data-residency header actions and layout refinements across the settings surfaces (2FA, API keys, providers, deployment, personalization, user env).
  • Drop overlay (#2121): the full-page drag-and-drop overlay now clears correctly after a file is dropped on the composer.

Operator notes

  • New optional SANDBOX_BROWSER_VIEW (default OFF). When set to 1, agent browser sessions run a headed Chromium with a read-only VNC mirror streamed into the chat UI; the platform attaches Playwright MCP over CDP. Left unset, behaviour is unchanged (headless, no live preview). The CLI env generator now emits it commented-out.
  • Graceful shutdown in compose.yml. stop_grace_period is now set for the platform (45s) and sandbox (30s) services, so docker compose up drains in-flight chat streams / executions before SIGKILL instead of using Docker's 10s default. This already matched the CLI compose generator.
  • No data migrations and no required configuration changes in this release.

Auf GitHub ansehen

v0.2.88

What's Changed

Auf GitHub ansehen

v0.2.87

Highlights

Enterprise SSO & SCIM provisioning (#1936)

Unified, file-based Enterprise SSO replacing the old per-provider config: a single connection covering OIDC, OAuth2, and SAML, plus SCIM 2.0 user/group provisioning. Configured from the admin UI (Settings → Enterprise SSO). See the new Enterprise SSO docs.

Two-tier sandbox concurrency limits (#1971)

Sandbox concurrency is now governed at two levels: global environment caps and per-org governance. Default caps were lowered to suit a small host — operators on larger boxes should set these explicitly:

  • SANDBOX_MAX_CONCURRENT default 4 → 2
  • SANDBOX_MAX_SESSIONS default 10 → 2
  • SANDBOX_MAX_SESSIONS_PER_ORG remains 50

Unified chat panel + branch-aware workspace inheritance (#1934)

Consolidated chat experience into a single panel, with sandbox workspaces that inherit from their parent branch.

Fixes

  • Sandbox-agent 401 responses no longer launder into a fake success (#2100).
  • Website scan no longer spins indefinitely on un-markable (canonical) URLs.

Operator notes

Migrations run automatically on tale deploy (auto-detected, confirmed at deploy). This release adds:

  • Fold legacy audit_retention policy into retention_policy (destructive, reversible)
  • Migrate ssoProviders into the file-based Enterprise SSO connection (reversible)
  • Export orgPackagePolicy → file-based run_code governance policy (reversible)
  • Export modelSyncSettings → file-based model_sync governance policy (reversible)
  • Drop legacy orgPackagePolicy rows, post-export cleanup (destructive, reversible)
  • Drop legacy modelSyncSettings rows, post-export cleanup (destructive, reversible)

Upgrade with tale upgrade, then tale deploy.

Auf GitHub ansehen

v0.2.86

Tale v0.2.86

Website crawling now runs in-process (#1935)

Registered websites are now re-crawled by an in-process Convex cron (scan due websites, every 5 minutes) — the replacement for the former standalone crawler service's poll loop. Without it, registered websites never re-crawled after the standalone service was removed. Full-site sitemap discovery is also restored (the interim 100-URLs-per-scan cap was a regression); the discovery ceiling is tunable via the optional CRAWLER_MAX_DISCOVER_URLS env var.

Deploy fix: knowledge-db schema convergence

The private_knowledge and public_web baselines now idempotently add later columns (metadata, org_slug, the chunk overlap columns, …) onto pre-existing tables. Deployments whose knowledge databases were created by the old per-service RAG/crawler migrations — before the baseline consolidation in #1883 — previously crash-looped at deploy with column "metadata" does not exist. The change is metadata-only (every column is nullable or defaulted) and safe on populated tables.

Release pipeline now ships the controller and LLM-gateway images

tale-controller and tale-llm-gateway are now built and pushed as part of a release (11 service images total, native amd64 + arm64). They were previously built in CI but absent from the release image set.


Operators: upgrade with tale upgrade, then tale deploy. The schema convergence runs automatically via dbmate; no manual steps.

Auf GitHub ansehen

v0.2.85

v0.2.85 — Apps platform, the AI Workforce, and persistent sandbox agents

This is a large release. It introduces a config-driven Apps platform (installable packs that bundle app-scoped agents, workflows, and sandbox-agent steps), the AI Workforce (an agent company with an organigram, task operations, and Discussions), and persistent sandbox agent sessions that run Claude Code with docker-in-sandbox, browser human-takeover, BYO credentials, and rotating token sources. It also ships SSO/identity hardening (generic OIDC claim mapping + PKCE, passkey/2FA controls, server-side idle timeout), a zero-friction guided setup, and a knowledge-platform refactor that moves RAG into the Convex backend behind a dedicated knowledge-db container.

🔒 Security & Identity

  • Generic OIDC claim mapping, role-mapping rules, and PKCE — map arbitrary identity-provider claims to Tale roles and use PKCE for the auth-code flow (#1857)
  • Passkey admin revocation, configurable 2FA-wall enforcement options, and sign-in audit events (#1859)
  • Server-side session idle-timeout enforcement (#1862)
  • Knowledge entries are now written through an approval-gated knowledge_write path (#1866)
  • Audit-log retention and PII-scrub checkpoints are signed with a new TALE_AUDIT_SIGNING_KEY (HMAC-SHA256), making the audit hash chain tamper-evident; the key supports rotation via TALE_AUDIT_SIGNING_KEY_PREVIOUS (#1879)
  • Sensitive form fields are masked in the UI (#1912)
  • Ratcheted the dependency CVE gates from CRITICAL down to HIGH (#1856)

💥 Breaking Changes (operator-facing)

  • The tale-crawler and tale-rag containers are removed. RAG/knowledge processing now runs inside the Convex backend (node-actions), backed by a new dedicated knowledge-db container (ParadeDB: pg_search + pgvector). A new optional KNOWLEDGE_DATABASE_URL (or KNOWLEDGE_DB_NAME, default tale_knowledge) points at it; it defaults to the bundled knowledge-db service and is split out so it can be relocated for data residency (#1907)
  • RAG cross-encoder re-ranking is now API-only. RAG_RERANKING_PROVIDER=local is no longer supported and fails fast — set RAG_RERANKING_PROVIDER=api pointing at an external Cohere/Jina-compatible /rerank endpoint (RAG_RERANKING_API_BASE_URL + RAG_RERANKING_API_KEY) (#1869)
  • Metrics endpoints consolidated. /metrics/crawler and /metrics/rag are removed; scrape /metrics/platform instead. Update any Prometheus scrape config that targeted the old paths

🚀 Features

Apps platform

  • Config-driven Apps platform: installable packs that bundle app-scoped agents, workflows, and sandbox-agent steps, isolated from the global catalog under a composite <app>/<name> slug (#1911)
  • Install/readiness wizard with inline integration-connect, per-agent dependency readiness (managed ↔ BYO), multi-project installs (one app → many projects), and durable task runs (#1927)

The AI Workforce

  • Workforce foundations: task operations, an org organigram, and per-agent logs (#1877)
  • The AI Workforce — an agent company with Discussions and human controllability over what agents do (#1907)
  • Task views split, @-mention descriptions, and per-agent metrics (#1878)

Persistent sandbox agents

  • Persistent agent sessions for Claude Code — a durable, resumable sandbox session per (org, user) (#1872)
  • Sandbox agents can use any connected org integration, with credentials that never enter the container (#1880)
  • Native docker/compose inside a session via configurable runtime tiers (runc/gVisor/sysbox/kata) (#1881)
  • Read-only sandbox observability in chat: a live browser view and a workspace file explorer (#1890)
  • External-agent BYO credentials plus per-user env vars and secrets (#1892)
  • Agent-initiated browser human takeover — an agent can hand the browser to a person (e.g. to solve a CAPTCHA) and resume (#1895)
  • Token sources: broker-fetched pools of rotating LLM credentials for BYO agents, with random pick and 401/429/529 failover (#1930)

External-agent chat

  • External-agent interactive/autonomous modes with incremental answer streaming (#1900)
  • Agent editor: switch an agent between internal/external types, with a folder breadcrumb (#1918)

Automations & workflows

  • Step-by-step debug mode for automations (#1871)
  • Per-step error feedback in the automation test panel (#1870)

Setup & operations

  • Zero-friction setup: guided CLI install, an onboarding wizard, and guided create flows (#1879)
  • Pre-migration volume snapshots and a new tale backup command (#1863)
  • Adaptive chat reliability and blue-green deploy tiers (#1914)
  • Cross-terminal clean-output rework for tale and bun run dev (#1904)

UI & UX

  • Settings full-width sweep, banner alerts, and login-UX refresh (#1910)
  • Refined settings layouts and onboarding-wizard UX (#1903)
  • Interactive PDF links and a branch-aware automation canvas (#1912)
  • Settings migrated to a left-rail sidebar across all pages (#1839)
  • Model capability details in an info popover (#1885)
  • Clearer notifications with locale-safe actor names (#1876)
  • Org deletion moved into the settings danger zone (#1891)

⚡ Performance

  • Single-source chat timeline with reduced render churn (and a fix for the reaped-turn error) (#1906)
  • Cut cross-component round-trips in getOrganizationMember (#1898)
  • Provider request-body mapping and max_completion_tokens for reasoning models (#1905)

🐛 Fixes

  • Per-project task dedup, stopped-run step settling, and sandbox stream-idle recovery (#1929)
  • Surface the raw provider error and stop mislabeling provider param rejections as user errors in chat (#1894)
  • Knowledge-db local-dev wiring and pdfjs extraction in the Convex node runtime (#1902)
  • Stop a long document name from overflowing adjacent columns (#1901)
  • Derive the dev builtin-config catalog from TALE_CONFIG_DIR (#1893)
  • Recover stuck websocket auth on cold start and fix skeleton-mask sizing (#1873)
  • Gate RAG queueing on a shared indexability allowlist (#1853)
  • Route all pdfjs consumers through a shared loader, fixing a DOMMatrix indexing failure during PDF extraction (#1933)

📝 Other

  • Switched raw <table> usage to the shared Table component (#1882)
  • Added a Playwright E2E suite with a mock LLM and CI workflow (#1860)
  • E2E/test tooling, the Opengrep SAST gate, and package cleanup (#1883)
  • Weekly model-catalog sync (#1884)
  • Rewrote the subprocessor tables for EU/EEA AI processing (#1874)
  • Added the /release skill and a Claude Code chat-agent config (#1928)
  • Pruned the remaining standalone crawler/rag service references across compose, docs, README, and CI; the sandbox LLM gateway ships as a first-class llm-gateway service (#1931)
  • Added a regression test verifying the web client passes the Mozilla Observatory security-headers check (#1932)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

This release contains a multi-step governance data migration and a container topology change — review before deploying:

  • Governance policies move from the database to per-org JSON files (3 migration steps). Steps 1–2 are non-destructive (export to files + split staged DSAR changes into a dedicated table). Step 3 drops the legacy governancePolicies rows and is gated behind explicit operator confirmation during tale deploy; it is reversible (each row is snapshotted before deletion). Run it only after verifying the exported governance files look correct.
  • Knowledge/RAG topology change. The tale-crawler and tale-rag containers are gone; a new knowledge-db container holds the corpus. See the updated container-architecture and data-residency docs before upgrading a deployment with an existing indexed corpus.
  • New audit signing secret. TALE_AUDIT_SIGNING_KEY is auto-generated and written to .env during deploy if missing (the deploy preflight verifies it). Back it up with your other secrets and keep it stable across deploys.
  • If you used local RAG re-ranking, switch RAG_RERANKING_PROVIDER to api (see Breaking Changes).
  • If you scrape metrics, update any scrape config pointing at /metrics/crawler or /metrics/rag to /metrics/platform.
  • The sandbox LLM gateway is now a first-class llm-gateway compose service. Its management-API password (LLM_GATEWAY_ADMIN_PASSWORD) is auto-generated on deploy if missing; set LLM_GATEWAY_ADMIN_USERNAME / LLM_GATEWAY_ADMIN_PASSWORD only to pin your own values.

Contributors

@larryro, @yannickmonney, @AdeolaAdekoya, @Israeltheminer


Auf GitHub ansehen

v0.2.84

Kubernetes sandbox backend, adaptive reasoning, and audit hardening

v0.2.84 — Kubernetes sandbox backend, adaptive reasoning, and audit hardening

This release adds a Kubernetes execution backend for the sandbox alongside the existing Docker path, a major LLM-pipeline upgrade (adaptive reasoning budgets, prompt caching, and a redesigned Auto router), and new knowledge-base workflows in chat. It also hardens audit-log access, clears the transitive HIGH dependency advisory backlog, and makes tale rollback safe by design.

🔒 Security

  • Audit-log reads are now restricted to org admins and owners. The public queries listAuditLogs, listAuditLogsPaginated, and getActivitySummary reject non-admin roles, the unused public getResourceAuditTrail query was removed, and the row-level-security matrix drops developer/editor audit-log access to write-only (#1852)
  • Cleared the transitive HIGH dependency advisory backlog: picomatch ReDoS (GHSA-c2c7-rcm5-vvqj), lodash _.template code injection (GHSA-r5fr-rjxr-66jc, overridden to 4.18.1), and the tar path-traversal advisory family via removal of an orphaned canvas lockfile entry (#1854)

🤖 Model & Provider

  • Adaptive reasoning governor: thinking budgets now adapt per (model, agent type) profile with self-calibrating difficulty thresholds. Output truncation no longer counts as thinking starvation, and wasteful reasoning (high thinking, tiny answer) trims the budget (#1838)
  • The Auto router is now a config-defined agent backed by a fast classifier model, replacing the hardcoded lexical heuristics. Routing decisions are cached, and models with missing keys or broken configuration are skipped at resolution time instead of producing a doomed request (#1838)
  • Updated OpenRouter provider catalog and a new coder example agent for fresh deployments (#1838)

💥 Breaking Changes

  • tale rollback no longer accepts an arbitrary -v/--version flag. The only valid target is the recorded previous version, and only when it shares major.minor with the running platform (patch-only rollback). On refusal the command prints the snapshot-restore runbook instead of proceeding. Update any operator scripts that pass --version (#1861)

🚀 Features

  • The sandbox service can now run on Kubernetes: SANDBOX_BACKEND=docker|kubernetes selects between the unchanged Docker Compose backend (still the default) and a new exec-free Pod-per-exec Kubernetes backend that needs no docker.sock or host-path workspace (#1841)
  • @-mention knowledge-base documents in chat: an anchored picker in the composer pins up to 5 indexed documents to a turn, scoping that turn's retrieval to exactly those documents (#1864)
  • Folder-scoped RAG search: retrieval can be limited to a single Document Hub folder and all of its subfolders (#1865)
  • Live per-node execution status on the workflow canvas, driven by a single reactive query (#1868)
  • New integration_processing_records workflow action for incremental, deduplicated processing of external SQL/REST integration data, with four incremental strategies (#1858)

⚡ Performance

  • Generic prompt caching with per-model strategies (explicit cache breakpoints for Anthropic/Gemini via OpenRouter, deterministic cache keys for OpenAI/DeepSeek) plus cache pre-warming on composer focus, reducing latency and cost on repeat prompts (#1838)

🛠 Improvements

  • Smoother streamed-text rendering: chat responses now reveal at clause boundaries instead of raw token chunks (#1838)

🐛 Fixes

  • Workflow execution step journals rendered empty for roughly 75% of runs due to a component shard-routing bug; journal loads now resolve the execution's actual shard (#1868)
  • Inline chat token count now shows output tokens instead of input/total (#1838)

📝 Other

  • RAG indexing status is consolidated onto fileMetadata.ragStatus as the single source of truth inside Convex; documents.ragInfo and documents.indexed are deprecated but remain readable for existing rows (#1840)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required. During tale deploy you will be prompted to confirm two automatic data backfills (RAG status consolidation and folder-path indexing); the RAG database schema migration applies automatically when the database container starts.

Contributors

@larryro, @yannickmonney


Auf GitHub ansehen

v0.2.83

Reasoning latency metrics and a leaner chat path

v0.2.83 — Reasoning latency metrics and a leaner chat path

This release adds reasoning-aware time-to-first-token metrics, so you can see what you actually wait for on a reasoning model — the "thinking" stream that starts before the first answer token — plus a send-relative breakdown that exposes the backend "setup before model" overhead the old action-relative metric missed. It then cuts that overhead with a consolidated governance round-trip and pre-stream parallelization, enforces role-scoped feature flags in chat, and records usage, audit, and metrics for content-policy-blocked turns.

🔒 Security

  • Role-scoped feature flags are now enforced in chat. The resolver was invoked without the user's role, so scope: 'role' rules silently never matched even though the UI reported them active. The role already resolved for the budget check is threaded through, so role-targeted flags apply consistently on the backend. (#1837)

🚀 Features

  • Reasoning-aware time-to-first-token metrics: the message info dialog now shows "Time to first reasoning" — the wait until a reasoning model's thinking starts streaming, which happens before the first answer token — and a send-relative "Setup before model" breakdown that captures the backend pre-stream hops the previous action-relative metric never measured. New optional timeToFirstReasoningMs and timeFromSendMs message-metadata fields back the dialog. Includes a dev/admin-gated "direct TTFT" probe that streams straight to the model — bypassing the persistence/delta/scheduler layers — so a developer can compare the pipeline against the model's own floor. (#1837)

⚡ Performance

  • Faster chat "Setup before model" wait: the per-turn governance reads (default-model override, accessible-model filter, model-access check, plus org membership and team IDs) are folded into a single resolveGenerationGovernance round-trip, and the pre-resolved role/team context is threaded through the generation path so startChat and budget enforcement skip duplicate Better Auth lookups. Two cross-component getThread calls are replaced with a direct metadata read. Warm pinned-model path: startChat ~300ms → ~90–200ms; "Setup before model" ~404ms → ~265–290ms. (#1837)
  • Pre-stream parallelization: the per-turn skill snapshot is cached in-process (mtime-validated) instead of rebuilt every send via nested node-action round-trips and disk reads, the budget check and feature-flag resolution now run concurrently, and generation is dispatched via an awaited runAction so it can start on a free event-loop tick. (#1837)

🐛 Fixes

  • Content-policy ("guardrails") blocks now record a usage-ledger row, an AI audit entry, and timing metrics. The block sites returned early without running onAgentComplete, so a block consumed provider tokens but left no usage, audit, or metric trace. (#1837)
  • Overlapping sends no longer double-generate and double-bill: a new send (multi-tab, API, or cancel-then-resend) now cancels the in-flight turn before starting a new one. (#1837)
  • Restored the arena first-message branch link, which a content-policy/scheduler split had caused to be created before the user message was saved (dropping the A↔B link). It's now created after the message commits, best-effort. (#1837)
  • Restored synchronous PROJECT_MISMATCH detection after generation moved async, mapped all PROJECT_* codes to their localized toast, and wrapped the model-denied audit write so an audit failure can't swallow the user notice. (#1837)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required. The two new message-metadata fields (timeToFirstReasoningMs, timeFromSendMs) are optional and apply automatically on deploy; rows written before this release simply omit them. The dev-only direct-TTFT probe reuses the existing TALE_DEPLOYMENT_CONFIG_ADMINS allowlist (empty/unset = nobody, fail-safe) — no new environment variable is needed.

Contributors

@larryro


Auf GitHub ansehen

v0.2.82

v0.2.82 — Data residency, passkeys, and Auto routing

This release adds deployment-level data residency for self-hosted instances (external knowledge Postgres, app Postgres, and S3 file storage), WebAuthn/passkeys with 2FA enforcement, and an "Auto" agent mode that routes each message to the right agent server-side. It also lands a broad performance pass across dashboard navigation, chat/org switching, and Convex per-request auth cost, plus org-configurable session idle timeout, out-of-band audit-integrity alerts, dependency CVE patches, and a large batch of table and chat UI polish.

🔒 Security

  • WebAuthn / passkeys: enroll, sign in, and revoke passkeys from account settings, with register/revoke audit entries. A registered passkey satisfies an enforced two_factor_policy alongside TOTP, so passkey-only users are never bounced to the TOTP wall. (#1822)
  • Org-configurable session idle timeout: admins can set the inactivity window from Settings → Security. The deployment-wide SESSION_IDLE_TIMEOUT_MINUTES stays the server-side hard cap — an org may only tighten it, never extend past it — and drives the client idle watchdog. (#1819)
  • Out-of-band alerting on audit-log integrity failure: the nightly hash-chain/checkpoint verification now raises a critical security notification (in-app bell + Slack fan-out) to org admins on any chain break, truncation, or checkpoint mismatch, not just an in-band audit row. (#1820)
  • Env-var source for provider API keys: a provider or model may set a secretsEnv field in its public <provider>.json to source the key from an environment variable, for operators whose secrets live in Kubernetes Secrets / Vault / cloud secret managers. The env-var name must use the reserved TALE_PROVIDER_KEY_ prefix and is fail-closed — unset, empty, or non-prefixed names fall back to the existing file key, so file-only deployments are unchanged. (#1711, #1832)
  • Failed-login lockout advisory: a failed credential attempt now shows a calm advisory that repeated failures temporarily lock the account. Deliberately not a per-attempt counter, which would reintroduce account enumeration and hand attackers a brute-force budget. (#1811)
  • Dependency security patches: hono 4.12.21 (mount-prefix advisory, #1830) and the vitest toolchain 4.1.8 (clears the critical otelCarrier advisory GHSA-2h32-95rg-cppp, #1823). Recorded accept-risk CVE suppressions and documented the security-update flow ahead of ratcheting the CVE gate. (#1821)

🤖 Model & Provider

  • "Auto" agent mode: when no assistant is pinned, the composer sends an auto sentinel and the server resolves it to a concrete agent before generation, so the thread commits the real agent from the first frame. Routing uses a cheapest-first ladder (≤1 candidate or trivial greeting → no LLM call; otherwise one timeout-raced classifier call that degrades to the default agent on timeout or failure, never blocking first-token latency). Agents now also support ordered multi-model selection — the first model is the default, the rest are fallbacks. (#1829)

🚀 Features

  • Deployment-level data residency: a flag-gated admin UI (Settings → Data residency) points a self-hosted deployment's knowledge Postgres, app Postgres, and Convex file storage at customer-controlled infrastructure. Config is a deployment-scoped deployment.json (+ SOPS secrets), consumed by the rag and convex entrypoints at boot and fail-closed; absent config keeps today's defaults. Includes per-section connection testing and an opt-in controller sidecar for one-click "Apply & restart". Writes are gated by org owner/admin plus the TALE_DEPLOYMENT_CONFIG_UI flag. (#1827)
  • Automation tester result feedback: the test panel now subscribes to the run it started and shows live status — running (with the current step), completed, or failed (with the failing step name and error) — instead of only toasting "execution started". (#1817)

⚡ Performance

  • Near-instant warm dashboard page transitions: fixed route-loader prefetches that never matched the table's actual usePaginatedQuery subscription, so navigating between list pages no longer flashes a skeleton. (#1833)
  • Reduced Convex per-request auth + query cost: request-scoped memoization resolves {user, orgs, teams} once per request instead of repeating cross-component Better Auth calls on the hot path (amplified ~5–10× on self-hosted), plus a set of query/frontend cleanups. Behavior-preserving. (#1831)
  • Faster chat switch, org switch, and setting toggles: consolidated four per-thread queries into one getThreadMeta behind a single access check, de-waterfalled org switching, fixed N+1/unindexed queries, and added optimistic updates to toggles. (#1825)
  • Gated cold-load queries on auth via an account bootstrap, so unauthenticated cold loads stop firing data queries.

🛠 Improvements

  • Split People settings into dedicated Organization and Teams destinations: Members now live under Organization (prefetched in the route loader), Teams get their own /settings/teams route, and /settings/people redirects so existing links keep working. (#1836)
  • Shared DataTable polish: fixed-width select-checkbox and row-actions columns align across every table, consistent row height, and skeletons that match the real table layout. (#1835)
  • Raised form-label contrast to text-foreground at the shared-component level (a11y), polished the filter popover and read-only email surfaces, and refreshed the feature-chat marketing image. (#1834)
  • Polished the list header, mobile header, chat toolbar, loading skeletons, and tab navigation. (#1824)

🐛 Fixes

  • Made chat auto-scroll instant so sending a message no longer stalls part-way up the thread. (#1826)
  • Preserve reasoning and tool parts when branching an edited chat, and keep chat markdown headings plain (no doc-style anchors).
  • Keep one-off translation requests in the reply language. (#1813)
  • Highlight a duplicated agent as a new row. (#1812)
  • Keep tooltips clear of viewport edges and controls. (#1814)
  • Fixed Vite dep-optimizer 404s and tab-underline alignment. (#1828)
  • Made the read-aloud toggle available on a new chat.
  • Aligned the provider-details, add-provider, provider-options, and erasure-request drawers with the shared settings-UI chrome.
  • Relaxed the platform health-check interval to cut boot noise. (proxy, #1815)
  • A batch of skeleton, mobile-header, table min-width, automation-centering, and retention-timeline mobile-width fixes.

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — all schema changes this release are additive (new optional fields, new indexes, and a new session_idle_timeout governance policy) and apply automatically on deploy. Three new capabilities are opt-in and leave existing behavior unchanged:

  • Data residency — set TALE_DEPLOYMENT_CONFIG_UI to expose the write UI, and optionally set CONTROLLER_TOKEN to enable the controller sidecar for one-click "Apply & restart" (otherwise apply with docker compose restart rag convex). An external knowledge DB must run ParadeDB (pgvector + pg_search) or hybrid search degrades to vector-only; switching local → S3 file storage is greenfield and does not migrate existing blobs.
  • Env-sourced provider keys — add a secretsEnv field to a provider/model in <provider>.json pointing at an env var named with the reserved TALE_PROVIDER_KEY_ prefix. Leave it unset to keep using file-based keys.

Contributors

@yannickmonney, @larryro, @Israeltheminer, @AdeolaAdekoya, plus dependency security updates via Renovate.


Auf GitHub ansehen

v0.2.81

Tasks, collaboration, and session security

v0.2.81 — Tasks, collaboration, and session security

This release adds a task platform with a collaborative inbox and project-scoped secrets, plus Slack and Confluence integrations and a generic OIDC SSO adapter. It hardens sessions with optional server-side idle timeout and adds daily audit-log integrity verification, alongside dependency CVE patches and a large batch of UI and import fixes.

🔒 Security

  • Server-side session idle timeout: set the optional SESSION_IDLE_TIMEOUT_MINUTES (1–1440) to sign a session out after inactivity. The window slides on activity and is enforced server-side across email/password, SSO, and trusted-headers sessions; the client also warns and signs out idle sessions. Unset by default, so existing behavior is unchanged. (#1808, #1810)
  • Daily audit-log integrity check: the hash-chain + checkpoint verification that previously ran only on demand now runs daily across every org and raises a security-category audit row plus a structured alert on any chain break, truncation, checkpoint mismatch, or unsigned PII scrub. (#1805)
  • Force re-authentication after a voluntary password change so prior sessions can't continue. (#1769)
  • Block CI on high/critical CVEs and fast-track Renovate security updates (supply-chain hardening). (#1784)
  • Dependency security patches: axios 1.16.0 (#1788), python-multipart 0.0.27 (#1787), brace-expansion 5.0.6 (#1785), turbo 2.9.14 (#1786).

🤖 Model & Provider

  • Centralize AI reply-language behind a shared priority chain (explicit request → message language → browser-locale fallback) and remove the per-agent language block from all shipped agents, so reply-language resolves consistently across agents. (#1795)

🚀 Features

  • Task platform with a collaborative inbox: tasks, comments, activity, dependencies, and board views, with project-scoped secrets, per-agent secret access, and user notifications/subscriptions. (#1761)
  • Slack integration: inbound bot (app mentions and DMs) and outbound workflow/security notifications, via a bring-your-own Slack app installed by manifest + OAuth. (#1762)
  • Confluence Cloud read-only sync integration. (#1807)
  • Generic OIDC identity-provider adapter for SSO. (#1809)
  • Upload product images during product create/edit. (#1797)

🛠 Improvements

  • Consolidate API settings into a single page and refine the navigation chrome and account menu. (#1806)
  • Assign documents and folders to multiple teams. (#1773)
  • Default to the team context in the prompt library's Team tab. (#1798)
  • Show price, category, and status in the product list. (#1767)
  • Show tags and assigned team on prompt list rows. (#1777)
  • Paginate the organization members table. (#1796)
  • Clarify upload-success vs. background-indexing copy, and hide masked content behind a skeleton while loading. (#1778, #1779)

🐛 Fixes

  • Ignore a spurious empty Radix Select change that falsely dirtied org settings. (#1816)
  • Accept uiLanguage in the shared userContext validator. (#1802)
  • Gate the DB healthcheck on an init-completion marker. (#1801)
  • Make form-field borders visible in light mode, and cap the select dropdown height to the viewport. (#1800, #1799)
  • Validate required columns on product CSV import, and harden customer/vendor import against silent data loss. (#1793, #1766)
  • Gate the automation tester on input validation, and add a timeout to the MCP server connection test. (#1792, #1790)
  • Lock upload team selection to the folder's team. (#1776)
  • Gate create-dialog submit buttons on form validity. (#1765)
  • Surface the missing-password error on the add-member form. (#1768)
  • Reject conflicting allow/block extensions in the upload policy. (#1770)
  • Use sensible thread titles for attachment-only chats, and stop dictation when a chat message is sent. (#1771, #1772)
  • Label custom condition branches in the automation flow. (#1774)
  • Right-align the team row action menu. (#1794)
  • Comment cascade, screenshot, notification skeleton, and label fixes. (#1763)

📝 Other

  • Document PII at-rest posture (Option B). (#1804)
  • Cryptography reference aligned with BSI TR-02102-1. (#1780)
  • Worked examples: Prometheus + Grafana, audit-log export, and modular AI-directed test guides per feature module. (#1781, #1782, #1783)
  • Private-host provider policy + OAuth2 callback URL docs, and fix the OpenAI-compatible endpoint path. (#1775, #1764)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — new tables and the daily audit-log integrity check apply automatically on deploy. Optionally, set SESSION_IDLE_TIMEOUT_MINUTES (1–1440) to enable server-side idle sign-out; leave it unset to keep the current session lifetime.

Contributors

@yannickmonney, @larryro, @Israeltheminer, plus dependency security updates via Renovate.


Auf GitHub ansehen

v0.2.80

v0.2.80 — Hardened org-first config migration

This release hardens the org-first config-layout migration introduced in earlier versions. The Convex entrypoint now self-heals provider secrets that an interrupted upgrade left behind at legacy paths, and the CLI resolves project context before any irreversible directory renames so a migration can no longer be left half-finished. It also fixes an infinite render loop in the governance editors plus minor chat and settings UI polish.

🐛 Fixes

  • Recover provider API-key secrets stranded by an interrupted org-first migration: the Convex entrypoint now self-heals legacy-path *.secrets.json into the org-first layout on every boot. It is idempotent, never clobbers a secret the UI already wrote to the new path, copies (not moves) so the legacy files remain as rollback insurance, and validates the org slug before migrating per-org secrets. This fixes spurious "No API key configured" errors on deployments whose host directories were migrated but whose container secrets were not. (#1760)
  • Resolve the project ID before any irreversible host-directory renames in tale start and tale update: a missing project context now fails fast instead of leaving a project half-migrated (host moved, container not). (#1760)
  • Stop an infinite re-render loop in the Budget and Default Model governance editors by memoizing on the policy config value rather than the query wrapper object. (#1760)
  • Fix the chat welcome view centering. (#1760)

🛠 Improvements

  • Show a loading skeleton for the retention policy timeline while it loads. (#1760)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — the provider-secret self-heal runs automatically on boot. Operators still on the legacy flat layout with custom non-secret edits may optionally run tale deploy --override-all -y to migrate host-side config, then tale migrate config-layout --cleanup-old once they've verified health.

Contributors

@larryro


Auf GitHub ansehen

v0.2.79

v0.2.79 — WebDAV document mounts, unified search, and org-isolation hardening

This release adds WebDAV support to mount an organization's documents as a network drive, a unified search palette shared across the platform and docs, and a fully recursive Google Drive sync with delete/rename reconciliation. It also hardens multi-org isolation in the RAG service with shared-secret authentication and per-org data scoping, and refactors the on-disk config into a uniform org-first layout that is auto-migrated during tale upgrade.

🔒 Security

  • Hardened the RAG service for multi-org deployments (#1752):
    • Shared-secret authentication — the RAG service now accepts an Authorization: Bearer token (RAG_AUTH_TOKEN) with a constant-time compare, defending against lateral access on the internal Docker network. Auth is presence-based: when the token is unset the service stays open and logs a loud [SECURITY] warning on every boot.
    • Per-org data isolation — every protected endpoint now requires an X-Tale-Org header, and the data layer enforces org_slug on documents, chunks, and the semantic cache (with a cross-table foreign key). Two orgs with semantically identical queries can no longer pull each other's cached responses via embedding similarity. The schema migration runs automatically and idempotently at RAG startup.

💥 Breaking Changes

  • Uniform org-first config layout (#1752): the config tree is now <root>/<org>/<domain>/... for every org, including default. tale upgrade and tale start auto-detect the legacy flat layout (agents/, workflows/, … at the project root) and migrate it in place after an interactive confirm. See the Migration Guide below.
  • Per-domain config env overrides removed (#1752): AGENTS_DIR, WORKFLOWS_DIR, PROVIDERS_DIR, INTEGRATIONS_DIR, and SKILLS_DIR are no longer honored — the platform strips them from the Convex deployment env on every boot. Operators with custom paths must set a single TALE_CONFIG_DIR root and place files under <org>/<domain>/.

🚀 Features

  • WebDAV server (#1757): mount an organization's documents as a network drive from Finder, Windows File Explorer, iOS Files, or rclone via a read-write WebDAV Class 2 endpoint at /dav/<orgSlug>/. Per-user app-passwords are managed under Settings → WebDAV; uploads land in the Document Hub and flow through the existing RAG indexing pipeline, with .trash soft-delete and lock support. The HMAC key auto-derives from the deployment's instance secret, so no extra configuration is required.
  • Unified search palette (#1758): one shared command palette across the platform and the docs site, backed by a new backend entity-search seam with org-scoped relevance ranking (exact → prefix → substring, then newest). Ships alongside an optimistic-update data layer that makes list edits and deletes feel instant.
  • Recursive Google Drive sync (#1756): the Google Drive integration now mirrors nested folder hierarchies, reconciles deletes (removing synced docs + their RAG entries when they vanish from Drive), and detects renames and cross-folder moves without re-downloading. Includes data-loss safety hardening (truncation guard skips reconcile, atomic upserts, cross-sync isolation).
  • Recover failed audio transcriptions (#1753): failed dictation and audio-upload transcriptions can now be retried from the UI without re-recording or re-uploading — the recording is retained and re-sent on retry.
  • Install the PWA from iOS (#1744): the "Get app" menu entry now appears on iOS Safari and opens an illustrated "Add to Home Screen" sheet, instead of being hidden on browsers that don't fire the native install prompt.

🛠 Improvements

  • Mobile navigation overhaul (#1759): a five-slot bottom nav with a featured Chat tab and a "More" overflow sheet, a back button on dashboard sub-pages, and safe-area polish so installed PWAs draw correctly down to the home indicator.
  • Settings & notifications polish (#1754): Cancel/Discard buttons on settings pages, the notification bell moved to a standalone sidebar popover, entity-named row counts across data tables ("Showing all 7 agents"), and assorted dropdown/menu refinements.
  • Icon-only toolbar buttons on mobile (#1747): a shared opt-in collapses button labels to icons below the sm breakpoint (keeping accessible names), applied across Save/Discard clusters and editor toolbars to stop button bars from crowding.
  • Redesigned maintenance screen (#1743): the proxy maintenance/update page now matches the offline screen's design system (design tokens, light/dark, reduced-motion support).
  • Calmer overlays (#1750): removed the zoom-scale entrance from popovers, dropdowns, menus, selects, and dialogs — they now animate with fade + slide only.

🐛 Fixes

  • Document search covers all pages (#1745): searching or filtering the documents table now eagerly loads the remaining pages, so matches outside the first 20 rows are found instead of reading as "no results."
  • New orgs seed from the builtin catalog (#1751): scaffolding a new org no longer copies the default org's writable workspace, so scratch agents and test workflows stop leaking into new orgs as templates.
  • Mobile settings Save/Discard (#1749): the Save/Discard cluster is now visible on small screens via a mobile-only action bar, and the duplicate "unsaved changes" prompt on discard-and-leave is fixed.
  • Mobile top-bar and bottom spacing (#1746): top-bar controls no longer collide with the iOS status bar / Dynamic Island, and the empty band below the bottom nav (a double-counted safe-area inset) is gone.

📝 Other

  • Added WebDAV usage and API documentation in en/de/fr (#1757).
  • Pointed the subprocessors DPA links to the canonical web URL, fixing the docs link-check CI (#1748).

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Migration Guide

This release requires attention for two changes. The RAG schema migration and the container-side config migration are handled automatically; the host-side config-layout move is prompted during tale upgrade.

1. Config layout is migrated automatically (one-time). The config tree is now uniformly org-first (<root>/<org>/<domain>/...). When you run tale upgrade (or tale start), it detects the legacy flat layout and prompts you to migrate it in place (default No — answer Yes). The move is rollback-insured: container-side providers/secrets are copied, not moved, and cleaned up later.

  • CI / non-TTY: tale upgrade has no --yes flag and will abort on a legacy layout rather than migrate silently. Migrate explicitly with tale start --yes (dev) or tale deploy --override-all -y (prod).
  • After the new deployment is healthy, you can optionally reclaim the rollback copies (sha-verified before removal):
    tale migrate config-layout --cleanup-old
    

2. Replace per-domain config env overrides (only if you use them). AGENTS_DIR, WORKFLOWS_DIR, PROVIDERS_DIR, INTEGRATIONS_DIR, and SKILLS_DIR are no longer honored. If you relied on them, set a single root instead and lay files out per org:

# Before: AGENTS_DIR=/custom/agents WORKFLOWS_DIR=/custom/workflows ...
# After:
TALE_CONFIG_DIR=/custom/config   # then place files under <org>/<domain>/, e.g. default/agents/, default/workflows/

3. (Recommended) Enable RAG service authentication. The RAG service now supports shared-secret Bearer auth, but stays open (with a loud [SECURITY] log warning each boot) until you set it. To enable it, set the same token on both the platform and RAG containers:

# Generate once, then set the SAME value on both containers' env:
RAG_AUTH_TOKEN=$(openssl rand -hex 32)

Per-org RAG data isolation (the org_slug schema migration and semantic-cache scoping) applies automatically — no manual database step is required.

Contributors

@yannickmonney, @larryro, @Israeltheminer, @AdeolaAdekoya


Auf GitHub ansehen

v0.2.78

Compliance docs refresh & settings scroll fix

This release refreshes the legal and compliance pages on the Tale website: a rewritten DPA with a binding no-training clause, a new Technical & Organizational Measures (TOM) document, and corrected subprocessor and data-residency disclosures. It also fixes audit-log table scrolling on the settings page and tidies the settings navigation.

🛠 Improvements

  • Audit logs now scroll within their own bounded container on the settings page instead of stretching the whole page; Skills moved next to Providers in the settings navigation.
  • New Technical & Organizational Measures (TOM) legal page (EN/DE/FR), with a tab strip linking it alongside the DPA so enterprise reviewers can see both together. The DPA/TOM download now uses the browser's print-to-PDF for a clean export.

🐛 Fixes

  • The DPA download button previously served the SPA shell as a .pdf (HTML masquerading as a PDF) because the production build never generated the static file; it now triggers a proper browser print / save-as-PDF.

📝 Other

  • DPA rewritten with a binding no-training clause — no use of customer data (prompts, inputs, outputs, embeddings, audio, images, derived artifacts) for training, fine-tuning, evaluation, or benchmarking without a separate written opt-in. Corrected subprocessor list (removed Convex, Cloudflare, and direct Anthropic; OpenAI narrowed to audio/STT+TTS; added Vercel AI Gateway and Exoscale) and introduced per-customer data residency (Switzerland for Swiss customers, the EU for all others).
  • Corrected the cloud/billing docs to reflect the two actual plan tiers — Community (self-hosted, open source) and Enterprise — instead of the previously documented three.
  • Consolidated the footer company address into global.json and fixed the Seestrasse spelling.
  • Centralized the i18n test suite and translation-skill tooling (#1740).

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration required.

Contributors

@yannickmonney


Auf GitHub ansehen

v0.2.77

v0.2.77 — Per-agent skill allowlist

Agent skill access is now governed by an explicit per-agent skillBindings allowlist instead of the previous implicit "all org skills visible to every agent" default. Operators choose which skills each agent can read via a new SkillSelector in the agent editor's Tools tab; agents with no bindings see no skills, no expand_skill tool, and no "Available Skills" prompt section.

💥 Breaking Changes

  • Agents no longer inherit every uploaded org skill by default. skillBindings on the agent config is now a hard allowlist — empty or absent means the agent has zero skills at runtime (no expand_skill tool registration, no skill disk reads at turn start, no "Available Skills" prompt section). Existing agents will see zero skills until an operator opens each one and binds the skills it needs; there is no automatic backfill. (#1742)

🚀 Features

  • New SkillSelector in the agent editor's Tools tab, matching the existing tool/integration/workflow binding patterns, with full en/de/fr translations and a dedicated agents/$agentId/skills route. (#1742)
  • buildSkillContext now intersects bound slugs with the org's actual skill directory and silently drops stale bindings, so renaming or deleting a skill on disk no longer breaks agents that referenced it. (#1742)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Migration Guide

After upgrading, every existing agent will start with an empty skill allowlist. For each agent that should keep using skills:

  1. Open the agent in the platform UI.
  2. Go to the Tools tab.
  3. In the Skills section, select the skills the agent should have access to.
  4. Save.

No data migration, schema change, or CLI command is required — the binding lives in the agent config and is applied on the next chat turn.

Contributors

@larryro


Auf GitHub ansehen

v0.2.76

Skill upload hardening

v0.2.76 — Skill upload hardening

Closes data-safety and UX gaps in the skills upload flow surfaced by multi-agent review. Adds cross-tenant storage isolation, per-slug exclusion locking, blob lifecycle cleanup, and protects UI-uploaded skills from being clobbered by tale deploy. No schema-breaking changes; no manual migration required.

🔒 Security

  • Bind each _storage blob to the uploading org via a new skillUploadIntents table; uploadSkillBundle now refuses any storageId not owned by the caller, closing a cross-tenant read/delete path on client-supplied storage ids (#1741)
  • Serialize concurrent force: true uploads to the same (orgId, slug) via a new skillUploadClaims exclusion lock so racing uploads can no longer last-writer-wins past the existence check (#1741)
  • Wire all _storage blob disposal through a single cleanupUploadResources helper so cancel, parse failure, write failure, and success paths all delete both the blob and its intent row — no orphaned blobs per replace cycle (#1741)
  • Replace six empty catch {} blocks across skill file IO with errnoCode-gated logging (CLAUDE.md hard rule) so non-ENOENT filesystem errors no longer disappear silently (#1741)
  • scaffoldNewOrganization's copyTree now skips @<slug>/ tenant-namespaced entries so creating a new org no longer recursively copies every other org's skills/integrations/workflows into the new namespace (#1741)

🛠 Improvements

  • tale deploy preserves UI-uploaded skills: any slug already present in the container is stripped from the host sync via the new listContainerSkills + stageSkillsWithoutConflictingBundles path (mirrors the providers SOPS-secrets branch); replaces the prior best-effort backup-to-.tale-backup/ workaround (#1741)
  • duplicateSkill now preserves binary assets (PNG / PDF / fonts) by routing through a new buffer-safe readFileBufferSafe + atomicWriteBuffer pair instead of the prior UTF-8 round-trip that corrupted non-text files; emits a dedicated duplicate_skill audit action (#1741)
  • macOS __MACOSX/, .DS_Store, and Thumbs.db entries are filtered on both client and server parsers, so Finder's right-click → Compress output no longer fails with a misleading "missing SKILL.md" error (#1741)
  • Skills list updates without manual refresh after upload: dialog routes through useUploadSkillBundle (was raw useAction), and lib/config-watcher.ts learns the skills typeMap so SSE-driven invalidation covers them (#1741)
  • Upload dialog cancels its in-flight blob POST and skips stale-state setState on close via AbortController + isMountedRef; ConvexError toasts now show the human message via extractErrorMessage instead of a serialized error object (#1741)
  • Drop UX hardened: multi-file / folder / wrong-type drops produce specific errors; window-level dragover / drop preventDefault stops a missed drop from navigating the browser away (#1741)
  • Preview step now renders full SKILL.md frontmatter (license, recommended Python/Node, disable-model-invocation, unknown-key count) with an ICU plural file count; "Replace bundle" button added next to Duplicate / Delete in the detail panel (#1741)
  • Upload audit row now carries skillMdHash, totalBytes, license, and disableModelInvocation so a rollback investigation can tie an audit entry to a specific bundle (#1741)
  • DE strings fixed per TERMINOLOGY_DE.md (Wird hochgeladen…Lade hoch…, Bundle wird gelesen…Lese Bundle…); Zip aligned with .zip-Datei; orphan skills.asset.loadNotFound key renamed to skills.viewer.notFound (#1741)

🐛 Fixes

  • audit_mutations.ALLOWED_ACTIONS now includes duplicate_skill, so the new audit action isn't rejected at write time (#1741)

📝 Other

  • New migrations/backfill_skill_scaffolding internal action re-runs the idempotent per-org scaffolder so organizations created before the skills domain existed get their skills/ directory seeded on demand (#1741)
  • requireOrgMembershipById / requireOrgAdminOrDeveloper widened to accept ActionCtx | MutationCtx so the new V8 upload mutations reuse the same auth + role gate (no behavior change for existing callers) (#1741)

Upgrade

No manual migration required. Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Optional: if your deployment has organizations created before the skills scaffolding existed and you want their skills/ directory seeded without waiting for the first upload, run:

bunx convex run migrations/backfill_skill_scaffolding:backfillSkillScaffolding

This is idempotent and only seeds missing domains; it does not touch any existing skill bundles.

Contributors

@larryro


Auf GitHub ansehen

v0.2.75

v0.2.75 — Unblock stuck Convex deploys

Single-fix release. Drops the three text-search indexes (search_customers, search_products, search_projects) from the schema so convex deploy no longer stalls on a crash-looping SearchIndexBootstrapWorker. Affected callers fall back to scoped-scan name matching with no UI-visible change.

🐛 Fixes

  • Drop the search_customers, search_products, and search_projects search indexes from the platform schema to unblock convex deploy, which was hanging at Backfilling indexes (412/413 ready) until the 300 s timeout. Customer and project name search switch to scoped scans over their existing org indexes; email / external-ID branches are unchanged, and search_products had no callers. (#1739)

Upgrade

No manual migration required. Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Contributors

@larryro


Auf GitHub ansehen

v0.2.74

v0.2.74 — Stop re-prompting for OpenRouter key on upgrade

Patch release that fixes a CLI annoyance: tale upgrade / tale deploy no longer interrupts existing installs with an OpenRouter API key prompt when the local secrets file is absent. Operators who configure OpenRouter through Settings → AI providers (or use a different provider entirely) are no longer blocked at the terminal.

🐛 Fixes

  • Stop prompting for an OpenRouter API key during partial .env upgrade. The interactive password prompt was only meant for first-install onboarding; on the .env-already-exists path the CLI now emits a non-fatal warning instead, so deploy/upgrade stays unattended for users who have already provisioned the key elsewhere (#1738)

Upgrade

No manual migration required. Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Contributors

@larryro


Auf GitHub ansehen

v0.2.73

v0.2.73 — Code sandbox, projects, and mobile shell

Adds an isolated code-execution sandbox for runnable artifacts, project workspaces that bundle files/instructions/threads/agents, an installable PWA with a mobile-native shell, voice mode for streaming output, prompt template versioning, and a top-to-bottom marketing site rebuild. Also unifies org identity, hardens audit-log writes, and ships a new tale doctor CLI command.

🔒 Security

  • Drop orgSlug from the public action surface — all multi-tenant endpoints now key off org ID only, removing a class of slug-collision and impersonation footguns (#1734).
  • Allow audit-log chain writes through RLS so genesis + append rows commit under the same scope (#1726).
  • Sandbox containers run on an --internal bridge with NET_ADMIN-installed iptables rules that reject IMDS (169.254.169.254) and RFC1918 ranges, with a tinyproxy-based hostname allowlist (pypi, npmjs, GitHub package endpoints) gating all egress (#1727).
  • New SANDBOX_TOKEN HMAC secret between Convex and the sandbox spawner; auto-generated on first deploy and rotated headlessly on upgrade (#1727).

🚀 Features

  • Code-execution sandbox + runnable artifacts — new ephemeral container-per-call spawner runs Python/JS code with package-registry-restricted egress and per-container memory/PID caps (#1727).
  • Projects — shared workspaces that bundle files, custom instructions, threads, and agents under a single scoped surface, with archive, rename, sharing, and read-only viewer support (#1735).
  • Agent skills + thread workspace + canvas pane + mobile shell — agents gain reusable skills, threads expose a workspace view, the canvas pane is reorganized, and the mobile experience gets a dedicated shell (#1737).
  • PWA + mobile-native shell — platform is now installable as a Progressive Web App with a mobile-native shell, migrated onto the shared @tale/ui package (#1733).
  • Voice mode — streaming assistant output can now be played back as audio via TTS chunk tables and an opportunistic GC cursor (#1717).
  • Prompt template versioning — prompt templates carry full revision history with diff view (#1705).
  • Prompt categories — first-class scoped entities for organizing prompt templates, with member 2FA surfacing and settings polish landing alongside (#1721, #1722).
  • In-app changelog viewer — surfaces release notes inside the app for cross-version upgrades (#1709).
  • Paste-link video ingestion — paste a video URL into chat to ingest it via the new videoLinkJobs pipeline (#1724).
  • Assistant overlay on automation editor — open the AI chat directly over the automation editor for in-context edits (#1736).
  • Provider detail drawer + API-key suffix masking — inspect provider configs with the last few characters of API keys visible for verification (#1729).
  • AI providers search + pagination in the provider picker (#1728).
  • @tale/seo package — unified SEO + LLM-artifact generation across services, with plugin-based build-time precompile (#1718, #1719).
  • llms.txt across services — every public service now publishes a discoverable LLM artifact (#1707).
  • PII detection — new governance PII detector with three modes, multi-language address detection, IBAN/credit-card validation, and NFC normalization (#1710).
  • Shared AppShell unifies frontend provider stacks across services (#1716).
  • tale doctor CLI command for host preflight checks (sandbox-relevant items today; extensible) (#1727).
  • Hardware comparison gains a cables & network-equipment row, server-rack tier, and multi-node section.
  • Globe icon on the language switcher trigger.

🛠 Improvements

  • Marketing home rebuilt from .pen designs with new sections, dark mode, and animations (#1723, #1730).
  • Marketing site restructured into a clean folder layout with block-level dedup and polish (#1725).
  • Automation metrics page redesigned (#1703); automation chat input reaches parity with the main chat (#1706).
  • Provider drawer reorganized — headers outside the Card, ghost buttons, collapsible options guide (#1732).
  • Docs pages and tone of voice rewritten end-to-end; agent-skills docs reorganized; i18n tone + terminology pass (#1708, #1713).
  • Hardware page now derives every layout from a single catalog source.
  • Form labels drop the trailing "(optional)" suffix in favor of the required-star convention.

🐛 Fixes

  • Chat + dashboard no longer flash a wrong layout on initial load (#1720).
  • Language picker changes apply without a page refresh (#1714).
  • BETTER_AUTH_SECRET gets a safe default in local dev so signup works on a fresh clone.
  • Pricing slider now spans 0 – 1,000+ with a 25-user default.
  • Marketing site pinned to light mode; hash-scroll preload bug fixed; hardware spec values, AMD chip naming, and paren styling refreshed.
  • Mermaid edge labels with parentheses now render in docs.

📝 Other

  • Test files colocated next to source — all __tests__/ folders dropped (#1715).
  • Mintlify removed from docs; cluster-naming residue and marketing-icons / RackKey / unused root class-variance-authority dependency cleaned up.

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

The upgrade introduces two new lockstep services (sandbox and sandbox-egress) that ship and version with the platform image — both are pulled and started automatically by the default deploy path. A new SANDBOX_TOKEN secret is auto-generated on first deploy (headless deploys included). The personalization-toggle and other backfills run automatically inside migrations.runAll on deploy.

Note: the artifacts table was removed in favor of the new thread_files + sandbox + projects modules. Deployments that already hold rows in this table will need to drop them before tale deploy succeeds — for demo-stage installs this is typically a no-op.

Contributors

@yannickmonney, @larryro, @Israeltheminer, @Adeola-Adekoya


Auf GitHub ansehen

v0.2.72

v0.2.72 — Confidentiality notice refresh and example library cleanup

A small maintenance release. The chat confidentiality footer gets clearer copy and a centered layout across en/de/fr, and the shipped example-agent library is trimmed to the actively maintained set.

🛠 Improvements

  • Refresh the chat confidentiality footer: shorter copy that emphasizes verifying AI responses and avoiding sensitive data, with the icon and text now centered horizontally. Strings updated in en, de, and fr.

📝 Other

  • Remove the file-assistant and web-assistant example agents and tidy stray references in chat-input, message-info-dialog, and tool-details-dialog (#1704).

Upgrade

No manual migration required. Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Contributors

@larryro, @yannickmonney


Auf GitHub ansehen

v0.2.71

v0.2.71 — Public status page and onboarding fix

This release adds an unauthenticated /status page with per-component health and trilingual copy, fixes an onboarding regression so fresh instances auto-seed a default org while multi-org deployments correctly route uninvited users to the create-organization form, and aligns the three service shells (platform, web, docs) on shared @tale/webui utilities. Also restores localized search placeholders on factory-driven tables.

🚀 Features

  • Public /status page with per-component health — unauthenticated, server-rendered, no JS. Reports overall up/down plus a per-subsystem breakdown using neutral product vocabulary (Application / Knowledge base / Web & document services) so stack names don't leak. Probes Convex /version and RAG/Crawler /health behind a 5s single-flight cache; upstream response bodies are discarded so a misbehaving probe target can't push bytes into the public response. Copy negotiated via Accept-Language (en / de / fr). A11y: status conveyed by text + colour (status dots are aria-hidden). Caddy routes /status straight to the platform via the default reverse_proxy — no Caddyfile change needed (#1699)

🐛 Fixes

  • Auto-create default org only on truly fresh instances — restores the auto-seed flow for the first user on a brand-new instance (so the many hardcoded orgSlug: 'default' callsites in agents, chat, integrations, providers, and login policy keep resolving), while multi-org instances and uninvited users still get the create-organization form. Slug-conflict races (two tabs / two users creating simultaneously) fall back to the form branch with no orphan state (#1698, #1702)
  • Search placeholder on factory-driven tables — the useTableConfigHook factory calls tEntity('searchPlaceholder') against a runtime namespace, so customers, products, vendors, and websites were rendering the raw key string instead of the localized placeholder. Added the missing top-level searchPlaceholder key for each entity and listed them in keys-dynamic.txt so the orphan-key scanner can see them (b98453a7)

🛠 Improvements

  • Service-shell alignment + shared @tale/webui utilitiesservices/platform, services/web, and services/docs now share a canonical shape: a one-line globals.css re-export from @tale/ui, sibling locals.css for service-specific styles, identical main.tsx / router.tsx / tailwind.config.ts / postcss.config.mjs / tsr.config.json / tsconfig.json, and an initServiceI18n helper that collapses the three near-duplicate i18n bootstraps. web and docs now share a startSimpleServer from @tale/webui/server (locale negotiation, /api/health with graceful-drain marker, security headers, extraRoutes hook); platform's Hono server keeps its specifics but its /api/health body shape was aligned. @fontsource/inter is bundled once at @tale/ui rather than per-service. The plop react-service generator emits the new aligned shape (#1700)
  • Shared search test suite, theme-asset sync, and docs polish — bundled into the alignment PR: full Vitest suite for the @tale/webui search dialog/build-index/client/highlight/snippets, a new rehype-preserve-code-meta plugin so fenced-code metadata survives the rehype pipeline, a theme-asset-sync component for platform theme assets, storybook cleanup, favicon rename (favicon-dark.png / favicon-light.png + a proper multi-size favicon.ico), and translation edits in docs/{de,de-CH,fr}/ (#1700)

Upgrade

No manual migration required. Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Contributors

@larryro, @yannickmonney


Auf GitHub ansehen

v0.2.70

v0.2.70 — Data-protection hardening, self-hosted docs, provider passthrough

This release lands a 14-phase data-protection and retention hardening cornerstone (legal hold, audit-chain checkpoints, RAG bearer auth + SSRF guards, GDPR Art. 17 erasure end-to-end, per-category retention floors), replaces Mintlify-hosted docs with a self-hosted tale-docs service that shares chrome and i18n with the marketing site, and adds providerOptions passthrough so OpenRouter quantization, OpenAI service_tier, Together safety_model, and similar provider features can be configured without code changes.

🔒 Security

  • Data-protection & retention hardening (14 phases) — opt-in RAG bearer auth (RAG_AUTH_TOKEN), 169.254.0.0/16 + 0.0.0.0/8 + fc00::/7 CIDR blocklist + cloud-metadata hostname blocklist on RAG_URL (with redirect: 'manual' to block IMDS pivots), audit-log HMAC-SHA256 chain with checkpoint rows, env-tunable per-category retention floors (audit min hardcoded at 365d), legal hold with maker-checker release flow, cascade-correct thread deletion, RLS gap fix for trashed/expired threads (#1676)
  • Provider host policy + developer-settings gate — IMDS hard-block + RFC1918 opt-in (TALE_ALLOW_PRIVATE_PROVIDER_HOSTS) on provider base URLs, developerSettings ability gate on all provider mutations/probes, secrets-first delete order, audit logging on provider changes (#1694)
  • Quantization variant validation — agent JSON @quant suffixes validated against declared quantizations; bogus variants rejected with UNKNOWN_MODEL_VARIANT (#1697)

🤖 Model & Provider

  • providerOptions passthrough — provider- and model-level JSON forwarded verbatim into LLM request bodies (OpenRouter quantization/routing, OpenAI service_tier, Together safety_model); Zod deny-list blocks body-overwrite keys (model, messages, max_tokens, …) (#1694)
  • Quantization variants as first-class selectable models — each quantizations entry shows up as its own pickable model (e.g. GLM 5.1 FP8 vs GLM 5.1 FP4) in chat, arena, and agent editors; encoded as provider:base@quant end-to-end (#1697)
  • Catalog refresh — GLM 5.1 / 5-turbo / 5v-turbo, Kimi K2.6, Qwen 3.6 max-preview/plus/flash/35b-a3b, Gemma 4 31b-it / 26b-a4b-it added to OpenRouter (#1694)
  • OpenRouter model list, prices, and pricing adjustments refreshed (multiple chore commits)
  • nvidia/nemotron-3-super repointed to the live OpenRouter id nvidia/nemotron-3-super-120b-a12b; pricing aligned with the live API

🚀 Features

  • GDPR Art. 17 admin UI — self-serve data-subject-requests page under Settings > Governance, structured reasonCode capture, single-grant Art. 12(3) extension (1–60 days), SLA countdown badge, audit timeline, inline legal-hold block panel (#1696)
  • Self-hosted docs service — Mintlify Cloud replaced by services/docs/ (TanStack Start), shared @tale/webui chrome with the marketing site, Mintlify-compatible MDX components, ⌘K search, per-page .md endpoints, /llms.txt + /llms-full.txt, AI page-actions menu (Open in ChatGPT/Claude/Cursor) (#1680)
  • Server-side locale detection + cross-subdomain cookie redirect — first-time de/fr browsers get 302'd to /de / /fr and a tale_locale cookie is set; cookie domain configurable via LOCALE_COOKIE_DOMAIN so tale.dev and docs.tale.dev share the preference (#1690)
  • Legal pages moved to marketing site with PDF downloads — privacy-policy, terms-of-service, DPA, personalization now at /legal/<slug> with a Playwright-generated dist/<slug>.pdf per locale (#1679)
  • Pricing-page user-count slider — 25–1000 with manual override; per-user breakdown on the Enterprise card (#1677)
  • Standalone tale-web / tale-docs container publishing — both sites get independent compose stacks and ship to ghcr.io/tale-project/tale/tale-{web,docs} on tagged releases; Discord webhook replaces Microsoft Teams for marketing form submissions (#1683)

⚡ Performance

  • Docs cold-load cut ~60%mermaid-vendor (719 KB gzipped) stripped from the entry preload graph and lazy-loaded only when a Mermaid diagram is on the page; ~30 individual lucide-react icon chunks coalesced into a single lucide-vendor chunk (#1689)

🛠 Improvements

  • Multi-language provider/model descriptionsresolveProviderLocale + resolveModelLocale mirror the agent-resolver fallback chain; per-locale tab editor in the provider edit panel; every model description in examples/providers/*.json translated into de + fr
  • Provider models search + UX polish — search input + empty state on the provider detail page (filters id, display name, description, tags — raw + localized); separate "Default models" panel; "Webhook" renamed to "Workers" in agent settings (#1693)
  • @tale/markdown package extracted — chat, docs, and marketing share one Shiki singleton, one component set, and one styling pass; streaming primitives (incremental reveal, mid-stream repair, CJK plugin) move in; fixes code-block line-number drift on trailing-newline blocks and Mermaid parse-error fragment accumulation (#1692)
  • Docs URL configurableWEB_DOCS_URL, DOCS_BASE_URL, DOCS_SITE_URL Dockerfile build args let docs mount at any path on any host; WEB_DOCS_URL now applies to the mobile-nav button and dist/robots.txt (#1684, #1685, #1686, #1687)
  • Toast positioning + automations table polish — top-center toasts for auth flows (log in, sign up, 2FA, forgot-password); automations table replaces version column with localized created date; raw <select>/<input> migrated to shared Select / Input / SearchableSelect; click-to-toast hint replaces forgot-password helper text (#1678)

🐛 Fixes

  • Prefixed-locale routes + /docs redirectsservices/web switches base: './'base: '/' so the SPA shell is self-contained at any depth (fixes blank /de/pricing after locale rollout); services/docs now prepends DOCS_BASE_URL to the Location header so Caddy-mounted /docs no longer redirects to the wrong origin (#1691)
  • Web header/footer styling restored + /llms{,-full}.txt served in devglobals.css now imports @tale/webui/globals.css so its @source directive picks up shared layout utilities; LLM artifacts written into public/ so Vite dev serves them (#1682)

💥 Breaking Changes

  • de-AT and fr-CH locale tracks removed — only de, fr, and de-CH remain across @tale/webui, services/{platform,docs,web}, agent terminology, and the plop service template. Agents and user profiles previously pinned to de-AT or fr-CH should be re-targeted to de or fr (#1682)
  • Audit-log retention floor enforced at 365 days — orgs with auditLogRetentionDays < 365 are runtime-clamped to 365 with a one-time warn log per org; explicit re-configuration via the new bounded retention editor required to silence the warning (#1676)

📝 Other

  • CI builds container images once and reuses them across smoke/validate/scan jobs (#1695)
  • All CI jobs moved to free GitHub-hosted runners (#1674)
  • Design file refresh: AI providers, personalization, integrations panels (#1681)

Migration Guide

Most operators only need:

tale upgrade
tale deploy

If you fall into any of the cases below, take the corresponding action before or right after tale deploy:

1. Enable RAG bearer auth (recommended for production)

The RAG service gains opt-in Bearer-token auth. Behavior is presence-based — no token is baked into the image:

  • Unset (default): RAG accepts unauthenticated requests on the container network; both RAG and platform log a one-time [SECURITY] RAG_AUTH_TOKEN unset warning at startup. Existing deployments continue to work without changes.
  • Set: Every platform → RAG request carries Authorization: Bearer ${RAG_AUTH_TOKEN}; RAG rejects mismatches with 401.

For production posture, set the same value on both containers:

# In your .env or compose override (same value on both)
RAG_AUTH_TOKEN=<a long random secret>

The token is re-read from the env on every call, so rotation takes effect on the next request without a process restart.

2. RAG_URL private-host check

RAG_URL is now validated against the IMDS (169.254.0.0/16) and the "this network" (0.0.0.0/8) blocklists at platform startup. If your RAG_URL points to anything in those ranges (it should not under any normal deployment), update it to a routable internal address before deploying.

3. Audit-log retention floor (operators with auditLogRetentionDays < 365)

Orgs with auditLogRetentionDays under the new 365-day floor will be runtime-clamped on first read and a warn log emitted. To fix permanently, open Settings > Governance > Retention and re-save with a value >= 365 (the editor now enforces bounds and shows the floor inline).

4. de-AT / fr-CH locales removed

If any agents, users, or org-level defaults were pinned to de-AT or fr-CH, repoint them to de or fr respectively (or to de-CH if you want the Swiss German overlay). The narrow-BCP-47 resolver still falls back to the base locale at runtime, so nothing 500s — but text that previously came from de-AT.json / fr-CH.json will now come from de.json / fr.json.

5. Docs deployment (self-hosters who pointed external DNS at docs.tale.dev Mintlify)

If you previously had a CNAME pointing at Mintlify Cloud for your docs subdomain, switch it to your Caddy/reverse-proxy host. The bundled compose.docs.yml brings up the new tale-docs service on port 3002; Caddy is already configured for docs.tale.dev in Caddyfile. No action needed if you don't expose a public docs site.

Upgrade

tale upgrade
tale deploy

Contributors

@larryro, @AdeolaAdekoya, @Israeltheminer, @yannickmonney


Auf GitHub ansehen

v0.2.69

v0.2.69 — Marketing site, optional SOPS, version-pinned installs

This release ships the public marketing site at services/web (with a shared @tale/ui library and plop scaffolding), makes SOPS encryption optional for provider secrets, and adds version-pinned CLI installs and downgrades. It also closes a thread-access regression on deleted-org and ex-member states, and stops the failover loop when no provider is configured.

🔒 Security

  • Closed access bypass and Convex subscription leaks on deleted-org / ex-member threads. canAccessThread no longer waves owners through unconditionally — current org membership is required, with expectedOrgId letting hot-path callers parallelize the membership read. Layout chrome and child routes now bail out cleanly when memberContext is invalid, tearing down org-scoped observers, and isPersonalizationActiveForChat returns false on miss instead of throwing (#1671).

💥 Breaking Changes

  • The guardrails secret_box now derives its HKDF input from ENCRYPTION_SECRET_HEX instead of SOPS_AGE_KEY. Operators with an existing moderation-provider auth header must re-save it once after upgrade — see the Migration Guide below (#1672).

🚀 Features

  • Marketing site launched at services/web (TanStack Start + Vite + Tailwind v4) with home / pricing / hardware-pricing / request-demo / contact pages and full en/de/fr i18n (plus de-AT / de-CH / fr-CH overrides). Shared UI primitives extracted into @tale/ui so platform and web consume one source of truth, and a new tools/plop/ directory provides generators for react-service, react-package, python-service, python-package, typescript-package, and docker-service (#1667).
  • Marketing site polish: 16 SVG illustrations replace raster mockups across feature-secure / feature-sectors / compliance-trust / feature-grid; sticky-only-on-tier-cards comparison header on /pricing and /hardware-pricing; new TierCard / CompareTable / ProgressBar shared components; locale-aware footer language switcher with country flags. PII-redaction added to the comparison table; hardware buy prices corrected to 31.7k / 32.9k / 35.3k CHF (#1673).
  • SOPS provider-secret encryption is now optional. Hybrid read path detects SOPS-shaped JSON and shells out to sops -d; otherwise returns plaintext as-is. Write path encrypts when an age key is configured and writes 0600 plaintext otherwise. SOPS_AGE_KEY_FILE is now honored on write (Vault / K8s Secret / systemd LoadCredential workflows). Wrong/rotated/missing keys no longer silently overwrite existing files — refusal surfaces as a destructive ConfirmDialog with a force-override path. en/de/fr docs updated for the two-mode model (#1672).
  • Version-pinned CLI installs: scripts/install-cli.{sh,ps1} honor a VERSION env var (downgrades included) with a friendly 404 message and pre-flight HEAD probe; tale upgrade --version <tag> migrates or downgrades to an exact release with a warning when downgrading that newer-version schema changes persist in the database (#1664).

🛠 Improvements

  • New Docker Desktop quickstart at docs/self-hosted/install/quickstart.md (~10 min), new docs/develop/integrations.md covering config.json / connector.ts / sandbox API, Member-role orientation reframe of platform/member/overview.md, and reworked platform/integrations/overview.md around the connector model. Translated to en/de/fr; footer "Getting started" link points at the new quickstart (#1664).
  • New web front-page designs added under designs/web/frontpages.pen (hero, contact, request-demo) with shared design-system components and image assets (#1666).
  • .env.example now explicitly marks SOPS_AGE_KEY, INSTANCE_SECRET, and the database section as REQUIRED — both keys are auto-generated by tale init but now surface as required to operators reading the file (#1668).

🐛 Fixes

  • NoProviderAvailableError is now treated as terminal in the failover chain — chat surfaces the friendly "Open Settings → AI providers" message instead of cycling through fallback models that would all hit the same empty provider list. Cross-action serialization (Convex's Uncaught NoProviderAvailableError: prefix) is matched in addition to instanceof (#1670).
  • Org owners can delete their own organizations again. The owner role is now distinct from admin and spreads ownerAc.statements (organization: ["update", "delete"]) — regressed when creatorRole was switched to owner and aliased to admin (#1669).
  • Added an explicit slug to the French operation-shape heading in docs/fr/develop/integrations.md (3f0e757).

📝 Other

  • Removed orphan operator-service code (browser_operate.ts, get_operator_service_url.ts, WebBrowserOperateResult types, thinking.browsing translations, /metrics/operator Caddyfile entry) — the operator service was already gone from the deployment (#1668).
  • Dropped orphan convex/lib/crypto/generate_secure_state.ts whose node:crypto import occasionally caused InvalidModules flakes during convex deploy. Husky pre-commit hook now passes --no-error-on-unmatched-pattern to oxfmt so commits touching only oxfmt-ignored files don't fail (#1665).
  • Renovate dependency pin pass: @types/validator, defu, libphonenumber-js, lodash-es, safe-regex2, validator, github/codeql-action, useblacksmith/setup-docker-builder (#1660).
  • Tightened Renovate config: internalChecksFilter=strict, prCreation=not-pending, rebaseWhen=conflicted, and migrated deprecated matchPackagePatterns to matchPackageNames regex form (806124a).

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Migration Guide

Re-save moderation provider secrets (only if you configured one). The guardrails secret_box HKDF input moved from SOPS_AGE_KEY to ENCRYPTION_SECRET_HEX, so existing encrypted moderation-provider auth headers can no longer be decrypted with the old key.

  1. After tale deploy completes, open Settings → Governance in the platform UI.
  2. Any provider with a configured auth header will display •••• (key rotated — re-save).
  3. Re-enter the auth header value and save. Chat with failBehavior.output='closed' is hard-blocked on those providers until this is done.

If you never configured a moderation-provider auth header, no action is required.

Contributors

@larryro, @yannickmonney, @AdeolaAdekoya, @renovate


Auf GitHub ansehen

v0.2.68

v0.2.68 — Artifacts, personalization backend, multilingual PII, feedback analytics

This release lands canvas-bound artifacts with live streaming edits, the backend for Personalization & Memory v1 (UI deferred), a redesigned multilingual PII detector, and a new governance feedback analytics page. It also closes three pre-personalization security gaps around cross-org thread access, debug-log plaintext, and the response cache.

🔒 Security

  • Closed cross-org gap in markGenerating — client-supplied organizationId is now validated against the thread's stored org, preventing a multi-org user from pulling another org's RAG / model policy / audit attribution into a thread (#1657).
  • debugLog('PRE_LLM_CALL') no longer ships system prompts or user messages in plaintext to operator log streams; payloads are summarized to { sha256, len } via a new summarizeForLog helper (#1657).
  • computeCacheKey now accepts an optional userPersonalizationFingerprint so per-user content cannot leak across users via a shared cache hit once personalization is wired in (#1657).

🚀 Features

  • Artifacts on canvas — agents can create and edit thread-bound documents (HTML, Markdown, code, SVG, Mermaid) via two new tools (artifact_create, artifact_edit). Patches stream into the canvas with inline diffs, scrolled focus, and a brief source-view hold after each stream settles. Includes a per-thread GC cron and full RLS-aware queries/mutations (#1655).
  • Export as PDF for HTML and Markdown artifacts via the browser's native print flow inside the artifact iframe — zero new dependencies, full CSS / font / CJK fidelity. The HTML iframe sandbox gains allow-modals (required by window.print()) (#1656).
  • Personalization & Memory v1 — backend with three tables (custom instructions, memories, audit log), assertSelfAndOrgMember self-and-org-member enforcement, a non-blocking propose_memory agent tool (pending → approved → invalidated), lazy rate-limiter-gated cleanup, GDPR Art 15/20 export endpoint, HMAC-pseudonymised audit trail, and prompt-injection structural defenses (XML tags, per-memory nonces, content filter). Settings UI, chat inline pending card, and EU JIT-consent modal are intentionally deferred to a follow-up (#1658).
  • PII detection v2 — replaces v1 regex with a redesign covering DE/FR/CH/EN home-address patterns (12 alternation forms, Unicode \p{L}\p{M}, NFC normalize at entry), libphonenumber-js for international phone numbers, and validator.js for IBAN mod-97 / credit-card Luhn post-filtering. EU address coverage rises from ~62% to 98.8%, real-chat over-masking from 40% to 0%, with ReDoS worst case bounded at 110 ms on a 12KB pathological input (#1659).
  • Governance feedback analytics page at /settings/governance/feedback: chat thumbs and arena verdicts with first-class agent / model / provider attribution, top-agents / top-models / per-pair model-matchup tables (canonical lexicographic orientation, decisive / tie / both-bad triple), and paginated recent-feedback listings with expandable rows. submitFeedback / deleteFeedback now do thread↔org checks and read attribution from messageMetadata server-side instead of trusting the client (#1662).

🛠 Improvements

  • Settings → Logs page polished: heading + subheading added, category filter and CSV/JSON exports hoisted into the header, audit timestamps switched to absolute MMM D, YYYY HH:mm. Sign-in blocks table refreshed with timestamp / user / IP / lock-out / IP-limit columns and an empty state (#1649).
  • CopyableField redesigned as a single bordered "ID field" pill with aria-live status, focus ring, and title-tooltip truncation; adopted for the organization ID with a helper subtitle (#1649).
  • Hardcoded heights dropped from Button size variants — SearchInput and FilterButton now own their own h-9, keeping sizes consistent across pages (#1649).

📝 Other

  • Dependency updates: docker/dockerfile 1.21 → 1.22, pdfjs-dist 5.4.624 → 5.5.207 (#1661).
  • Design source split: monolithic .pen file broken into per-page files (agents, auth, automations, chat, conversations, onboarding); knowledge and PoC 2.0 refreshed (#1654).

Upgrade

No manual migration required. Run tale upgrade to update the CLI, then tale deploy to apply the new version.

All schema additions (messageFeedback.{agentSlug,model,provider} + by_org_createdAt index, messageMetadata.agentSlug, three personalization tables, the artifacts table) are additive and applied automatically. New runtime dependencies (libphonenumber-js, validator.js) are bundled.

Contributors

@larryro, @Israeltheminer, @AdeolaAdekoya, @renovate


Auf GitHub ansehen

v0.2.67

v0.2.67 — Save agents before adding API keys

Fixes a save-time validation bug that blocked agents from referencing providers whose JSON config existed but didn't yet have an API key. Provider configuration and secret provisioning can now happen in any order, while runtime invocation continues to enforce key availability.

🐛 Fixes

  • Allow saving agents that reference keyless providers — saveAgent now validates supportedModels against the configured-models list (read directly from provider JSON) instead of the runtime model list, which required secrets to be present (#1653)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration required.

Contributors

@larryro


Auf GitHub ansehen

v0.2.66

v0.2.66 — Google Drive integration, workflow installations, and LLM fallback chains

A new Google Drive integration ships with an example sync workflow, and the "installed" state for workflows moves out of the workflow JSON file and into a new wfInstallations table so install state is org-scoped data rather than file content. Workflows and LLM steps gain a models[] fallback chain that fails over to the next model on transient errors, and a new "Upload configs" entry on the agents and automations pages lets you drop in JSON bundles directly from the UI.

🚀 Features

  • Google Drive integration. New first-party connector under examples/integrations/google_drive/ with an OAuth-flavored connector.ts and a ready-to-install examples/workflows/google_drive/sync.json template. (#1650)
  • Workflow installations are now first-class data. Whether a workflow is installed for an org now lives in a new wfInstallations table (keyed by organizationId + workflowSlug, with contentHash and installedBy), instead of an installed: boolean field inside the workflow JSON. Workflow JSON also gains a requires.integrations[] block ({ name, operations?, minVersion? }) so a template can declare which integrations it depends on, and the engine now validates those dependencies before scheduling. (#1650)
  • models[] fallback chains for LLM workflow steps. Workflow config.models and LLM step config.models accept an ordered list of model refs; on a failover-eligible error (transient provider failures, etc.) the engine moves to the next entry, with circuit-breaker tracking on transient failures. Workflow-level models is inherited by any LLM step that defines neither model nor models — step-level overrides still win. model and models are mutually exclusive on the same step. Existing single-model configs are unchanged. (#1652)
  • Upload configs from the dashboard. Agents and Automations pages get a new "Upload configs" entry in their action menus, opening a dialog that parses uploaded JSON bundles into the right destination. (#1651)

🛠 Improvements

  • Convex workflow file actions take organizationId instead of orgSlug. readWorkflow, listWorkflows, and related actions now resolve the org slug internally from organizationId, keeping callers consistent with the rest of the platform API. (#1650)
  • Stricter validation when starting workflows from a file. Integration dependencies declared in requires.integrations are validated against installed integrations (and minimum versions) before a run is scheduled. (#1650)

🐛 Fixes

  • Canvas no longer auto-opens on assistant messages. Code blocks in chat no longer pop the Canvas pane open every time the assistant produces output — opening Canvas is now an explicit user action again. (#1648)

💥 Breaking Changes

  • installed and enabled are removed from workflow JSON. The workflowJsonSchema no longer accepts these fields. "Installed" state is now persisted in the wfInstallations Convex table; enabled had no consumers and is gone. Existing workflow files with these fields keep parsing (zod strips unknown keys), but their previous "installed" status will not appear in the UI until you run the backfill migration below. (#1650)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Migration Guide (only if you had workflows marked installed: true on v0.2.65 or earlier)

The new wfInstallations table is empty after deploy. To carry over your previously-installed workflows and clean up legacy fields in the JSON files, run the per-org backfill migration once for each org:

bunx convex run migrations/backfill_wf_installations:backfillWfInstallations \
  '{ "orgSlug": "<your-org-slug>", "organizationId": "<your-org-id>" }'

The migration:

  • Inserts a wfInstallations row for every workflow JSON with legacy installed: true.
  • Rewrites those JSON files to drop the legacy installed / enabled fields (history snapshot is taken first).
  • Is idempotent and safe to re-run.

It returns a { installed, skipped, rewritten, failed } summary. If you have no previously-installed workflows, you can skip this step entirely.

Contributors

@larryro


Auf GitHub ansehen

v0.2.65

v0.2.65 — Interactive Canvas previews, multilingual subagents

Canvas HTML previews now serve from a dedicated route with a permissive CSP, so inline scripts run as expected and each render gets a fresh JS realm. Subagent prompts gain the same language-priority rules and {{user_profile}} placeholder as the chat agent across en/de/fr. A first-start DB init race that bricked fresh volumes is fixed.

🤖 Model & Provider

  • Language-priority rules and {{user_profile}} placeholder applied to all subagent example prompts (crm, file, integration, researcher, translator, web, workflow) across en/de/fr, so subagents stay in the orchestrator's language and see who they're working for.
  • Chat agent's HTML/Canvas guidance broadened to demo pages, dashboards, and visualizations; the pdf tool gate is tightened so the model stops emitting PDFs for inline-readable content. (#1645)

🚀 Features

  • Interactive Canvas HTML previews. The Canvas pane now renders previews via POST /canvas-preview instead of an iframe srcdoc. Inline <script> blocks and onclick= handlers run under a permissive (egress-locked) CSP, and every render gets a fresh Document and JS realm — so back-to-back renders no longer collide on top-level let/const declarations. (#1645)

🛠 Improvements

  • In-app markdown link routing. Same-origin anchors in chat messages now navigate client-side through TanStack router; external links keep target=_blank + rel=noopener noreferrer; mailto: and hash anchors get default browser behavior. (#1647)
  • Precise attribution in governance usage tables. The previous "Unknown assistant" rows in Top Assistants now render as Direct API for OpenAI-compat direct-model calls (translated for de/fr). Top Models filters out integration-only rows that have no model by design (Tavily/SQL/etc.); their cost is still attributed to the calling agent in Top Assistants, so no information is lost. (#1643)

🐛 Fixes

  • DB init no longer races on first start. Init-scripts were baked into the image at two locations and were both probing the same socket during initdb, causing concurrent ALTER DEFAULT PRIVILEGES statements to fail with duplicate key value violates unique constraint "pg_default_acl_role_nsp_obj_index". The wrapper is now the single runner; 03-create-knowledge-database.sql also wraps the four ALTER DEFAULT PRIVILEGES statements against unique_violation for defense in depth. (#1646)
  • Chat send no longer wedges after a PII-blocked message. sendingRef is now reset when the PII precheck blocks a send, so the toast fires every time and the input remains usable on subsequent attempts. (#1647)
  • Org-owner role label is translated. The member table built roles.${role.toLowerCase()} dynamically but the owner key was missing from en.json/de.json/fr.json, so org owners' rows rendered the raw key. Translation added and the dynamic key allowlisted.

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Migration Guide (only if you hit the DB init race on v0.2.64 or earlier)

If tale start previously failed with duplicate key value violates unique constraint "pg_default_acl_role_nsp_obj_index", the DB volume is half-initialized and must be removed before the patched image can come up cleanly:

tale stop
docker volume rm <project-id>-dev_db-data
tale upgrade
tale start

Replace <project-id> with your project's compose project name (the prefix of the existing *-db-data volume — see docker volume ls). All other users only need tale upgrade && tale deploy.

Contributors

@larryro, @yannickmonney, @AdeolaAdekoya


Auf GitHub ansehen

v0.2.64

v0.2.64 — Native vision images, dedicated org switcher

Vision-capable chat models now receive image attachments inlined as multimodal content instead of going through the image tool, the organization switcher graduates into its own nav button on desktop and mobile, and i18n / Canvas preview regressions from the previous release are fixed across all three locales.

🚀 Features

  • Native image input for vision-capable chat models. When the resolved chat model carries the vision tag and the turn includes image attachments, images are read from _storage and inlined as ImagePart content (≤ 1 MB each) rather than going through the image tool, which is dropped for that turn. Failover to a non-vision model automatically reverts to the markdown + image-tool path. Response-cache keys now fingerprint multimodal prompt content so two requests with identical text but different images no longer collide. (#1639)

🛠 Improvements

  • Organization switcher promoted to a dedicated nav button. A new OrganizationButton (Building2 icon + dropdown with OrganizationListPanel) replaces the embedded switcher previously buried inside the user menu and organization settings page. Wired into both desktop and mobile navigation, with translations updated in en/de/fr. (#1640)

🐛 Fixes

  • Canvas HTML preview iframe runs inline scripts again. A permissive Content-Security-Policy meta tag is now injected into the preview document so inline <script> blocks generated by the model actually execute, restoring interactive Canvas previews. (#1641)
  • Restored i18n keys that the orphan detector was incorrectly pruning. messages-usage.test.ts now recognises the t<Capital><rest> alias convention (e.g. tTables, tCustomers) and captures keys passed through ternaries / inline expressions, so callback-scoped translation calls no longer look orphaned. Missing keys re-added to en.json, de.json, and fr.json. (#1642)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version. No manual migration required.

Contributors

@larryro, @Israeltheminer, @yannickmonney


Auf GitHub ansehen

Zuletzt aktualisiert am 9. Juli 2026.

Sieh Tale auf deinem Stack

Buch eine geführte Demo oder sprich mit dem Team über Self-Hosted-Deployment, Preise und Hardware.