Releases: darknodebros/EleSync
Release list
EleSync v1.9.1
Fixed
- Critical: Bearer-auth middleware was never actually enforced on the
HTTP/SSE MCP transport.ELESYNC_TOKENcould be set and the server would
behave as if it were protected, but every request was silently let through
unauthenticated. Root cause: FastMCP does not cache a Starlette app on
self.app/self._app—streamable_http_app()/sse_app()each build a
fresh instance on every call, and the previous code tried to attach
middleware to an app object that never existed. Fixed by wrapping the
app-builder methods themselves so the middleware attaches to whichever
instance is actually served, for bothstreamable-httpandsse
transports. If you run EleSync's HTTP/SSE transport with a token
configured, upgrade immediately — prior versions provided no enforcement
regardless of configuration. - Regression tests added (
tests/test_mcp_auth.py) that build the real
Starlette app and assert unauthenticated/wrong-token requests get 401 and
correctly-authenticated requests do not — covering the exact gap that let
the original bug ship silently. - Restored an unconditional import in
mcp_server.pythat a prior lint pass
had removed as a seeming duplicate, which left a NameError latent on the
direct-token code path. - Removed a stale
[[tool.mypy.overrides]]section referencingnumpy,
which isn't a dependency anywhere in the codebase. - Removed a dead
labelparameter inelesync/usb.py. index.html: use<code>instead of<span>for the install command
(semantics/accessibility).- Strengthened
test_empty_query_returns_recentto use explicit
out-of-order timestamps, so the test can no longer pass by accident
regardless of whetherORDER BYactually works. - Renamed
test_recall_hides_unscoped_client_nothingto
test_unrestricted_client_sees_all— the old name inverted its own
meaning.
v1.9.0: MCP onboarding expansion + edge case tests
What's Changed
- docs: add lint/format guidance to CONTRIBUTING.md to prevent ruff CI failures by @Alphanymous with @Copilot in #80
- [WIP] Add incremental indexing and file watcher for large vaults by @Alphanymous with @Copilot in #83
- [WIP] Add read-only scopes and audit logging for MCP clients by @Alphanymous with @Copilot in #82
- feat: add text-paste import (ele paste + web UI + .txt files) by @Alphanymous in #84
- [WIP] Add memory export feature for AI formats by @Alphanymous with @Copilot in #85
New Contributors
- @Alphanymous with @Copilot made their first contribution in #80
Full Changelog: v1.7.4...v1.9.0
EleSync v1.7.4
What's new since v1.7.1
v1.7.4
- Hardened web dashboard authentication — refactored auth internals for robustness and security (#73)
- Sample vault with 5 example memories for demos and onboarding
v1.7.3
- Dark mode toggle (persists in localStorage)
- Keyboard shortcuts —
/search,Nnew memory,?help,Escclose,Ctrl+Kcommand palette - Mobile-responsive web UI (375px–700px breakpoints, 44×44px touch targets)
- CSV export in addition to JSON
v1.7.2
- Self-hosted web mode —
ele web --host 0.0.0.0for multi-device LAN access - Security warning when exposing without auth
- Neon elephant logo in sidebar + static asset serving
Full changelog: https://github.com/darknodebros/EleSync/blob/master/CHANGELOG.md
Install / upgrade:
pip install --upgrade elesync
ele --version # should show 1.7.4EleSync v1.7.1
Fixed
- MCP Registry publishing restored. The registry validates ownership by
requiringmcp-name: io.github.darknodebros/elesyncinside the PyPI README
of the exact version being published. That marker was dropped in the
README rewrite (d440aa8), so every registry publish since silently failed
server-side validation and the registry entry froze at 1.3.0. The marker is
back (as an HTML comment, invisible on PyPI/GitHub), and
tests/test_packaging.pynow fails the build if it is ever removed again,
alongside checks that pyproject,__init__, andserver.jsonversions agree. - Windows
ConnectionAbortedError [WinError 10053]on rejected writes.
The web dashboard's 401/403 auth gates responded before reading the request
body; closing the connection with unread data triggers a TCP reset, which
Windows clients surface as a connection abort instead of the status code.
The gates now drain the unread body (capped at 1 MiB) before rejecting. - Base CI job green again. The web-auth test suites hash passwords, but
the extras-free CI job has no bcrypt - 22 tests errored on every run since
the web-auth PRs landed. They now skip cleanly without bcrypt, following the
same convention as the fastembed and mcp-SDK guards. The one test that
specifically exercises the missing-bcrypt error message stays unguarded.
Added
- CI fails on version drift between
pyproject.toml,server.json, and
__init__.__version__- the manifest shipped stale in two consecutive
releases; now it cannot.
EleSync v1.7.0
Added
-
Web dashboard authentication, fully wired up —
ele web adduser <name>
turns on login for that vault's dashboard;ele web listusers/
ele web removeusermanage it. No users configured means no change from
today: the dashboard stays open on127.0.0.1exactly as before.- Passwords are bcrypt-hashed (
elesync[webauth]extra), work factor
configurable viaELE_BCRYPT_ROUNDSfor fast test runs. - Sessions are cookie-based (
HttpOnly,SameSite=Strict), and the
token itself is never written to disk —web_sessions.jsonstores
SHA-256 hashes, so reading that file doesn't hand out a live session. - Role-based access:
--role vieweraccounts can browse/search but get
a real server-side 403 on any write — enforced at the API layer, not
just hidden in the UI. - Auth state lives in
<vault>/.web_auth/, so it travels with the vault
(matters for USB vaults and multiple named vaults). - Removed the wildcard
Access-Control-Allow-Origin: *from the web
server while in there — the dashboard is same-origin by design (you
open127.0.0.1:7477directly), so the wildcard only ever served to
let any webpage's JavaScript read/write your vault via a background
fetch()call. Latent gap, independent of the auth work; closed now
rather than left for later.
- Passwords are bcrypt-hashed (
-
ele doctor --fix— the health check can now repair fixable
diagnostics (e.g. re-wiring a missing or stalemcpServersentry in a
client config) instead of only reporting them. Runele doctoralone
for a read-only check, add--fixto apply repairs and re-verify.
Fixed
elesync/__init__.py's module docstring read "unified elesync" instead
of "unified memory system" — copy-paste artifact from early in the
project, harmless but silly every time you saw it.cmd_vault_list's f-string used the same quote character for both the
outer f-string and an inner dict key (f"{"Name":<20}..."), which is
only valid on Python 3.12+ despite this project targeting 3.10 — would
have crashed onele vault listfor anyone on 3.10 or 3.11.
v1.6.0
What's Changed
- feat: conflict resolution workflow (ele resolve-conflict) by @Alphanymous in #70
Full Changelog: v1.5.4...v1.6.0
v1.5.4 - Claude memories/projects + Copilot CSV import fixes
Fixed
- Claude.ai memories.json import — the real shape (
conversations_memory+project_memories) wasn't recognized; always imported 0. Now correctly extracts both account-level and project-level narratives. - Claude.ai Project export docs — attached content in
docs[].contentwasn't recognized at all. Now imports correctly. - Microsoft Copilot CSV import —
normalize_file()only parsed JSON, so Copilot's CSV export failed immediately. Verified against a real 405-row export: 12 conversations imported correctly, including a fix for same-second timestamp ordering.
See CHANGELOG.md for full details.
v1.5.3 - Claude conversation import fix
Fixed
- Claude.ai conversation export import.
from_conversations()only recognized
{messages: [...]}/{mapping: {...}}with plain-string content. Claude.ai's
real "Export Data" output useschat_messages,sender(notrole),name
(nottitle), andcontentas a list of Anthropic-style blocks rather than a
string. Every Claude conversation export was silently importing 0 memories.
Verified against a real 93-conversation export.
Added
- Remote MCP transport (
ele serve --transport http) for clients that need
Streamable HTTP instead of stdio — e.g. ChatGPT's Developer Mode connector.
Verified live against a real ChatGPT connection through a tunnel.
See CHANGELOG.md for full details.
v1.5.2 - Web UI Fix
v1.5.2 Patch Release - Critical fix for Web UI. Fixes JavaScript syntax error that prevented the embedded web UI from rendering in v1.5.1. The ele web dashboard now loads correctly. No other changes - safe upgrade from v1.5.1.
EleSync v1.5.1
Added
- Vault switcher in web UI — switch vaults from the sidebar with path + optional passphrase dialog.
- Conversation display in memory cards — memories with User:/Assistant: lines render as styled chat bubbles.
- USB "Access this vault" button — opens vault switch dialog pre-filled with USB drive path.
- Built-in web UI — browse, search, import, and manage your vault from any browser.
Changed
- Updated website to v1.5.1 with web UI feature card.