Skip to content

Releases: darknodebros/EleSync

EleSync v1.9.1

Choose a tag to compare

@Alphanymous Alphanymous released this 06 Jul 15:04

Fixed

  • Critical: Bearer-auth middleware was never actually enforced on the
    HTTP/SSE MCP transport.
    ELESYNC_TOKEN could be set and the server would
    behave as if it were protected, but every request was silently let through
    unauthenticated. Root cause: FastMCP does not cache a Starlette app on
    self.app/self._app — streamable_http_app()/sse_app() each build a
    fresh instance on every call, and the previous code tried to attach
    middleware to an app object that never existed. Fixed by wrapping the
    app-builder methods themselves so the middleware attaches to whichever
    instance is actually served, for both streamable-http and sse
    transports. If you run EleSync's HTTP/SSE transport with a token
    configured, upgrade immediately
    — prior versions provided no enforcement
    regardless of configuration.
  • Regression tests added (tests/test_mcp_auth.py) that build the real
    Starlette app and assert unauthenticated/wrong-token requests get 401 and
    correctly-authenticated requests do not — covering the exact gap that let
    the original bug ship silently.
  • Restored an unconditional import in mcp_server.py that a prior lint pass
    had removed as a seeming duplicate, which left a NameError latent on the
    direct-token code path.
  • Removed a stale [[tool.mypy.overrides]] section referencing numpy,
    which isn't a dependency anywhere in the codebase.
  • Removed a dead label parameter in elesync/usb.py.
  • index.html: use <code> instead of <span> for the install command
    (semantics/accessibility).
  • Strengthened test_empty_query_returns_recent to use explicit
    out-of-order timestamps, so the test can no longer pass by accident
    regardless of whether ORDER BY actually works.
  • Renamed test_recall_hides_unscoped_client_nothing to
    test_unrestricted_client_sees_all — the old name inverted its own
    meaning.

v1.9.0: MCP onboarding expansion + edge case tests

Choose a tag to compare

@Alphanymous Alphanymous released this 04 Jul 23:50

What's Changed

  • docs: add lint/format guidance to CONTRIBUTING.md to prevent ruff CI failures by @Alphanymous with @Copilot in #80
  • [WIP] Add incremental indexing and file watcher for large vaults by @Alphanymous with @Copilot in #83
  • [WIP] Add read-only scopes and audit logging for MCP clients by @Alphanymous with @Copilot in #82
  • feat: add text-paste import (ele paste + web UI + .txt files) by @Alphanymous in #84
  • [WIP] Add memory export feature for AI formats by @Alphanymous with @Copilot in #85

New Contributors

Full Changelog: v1.7.4...v1.9.0

EleSync v1.7.4

Choose a tag to compare

@Alphanymous Alphanymous released this 04 Jul 21:59
ac10fae

What's new since v1.7.1

v1.7.4

  • Hardened web dashboard authentication — refactored auth internals for robustness and security (#73)
  • Sample vault with 5 example memories for demos and onboarding

v1.7.3

  • Dark mode toggle (persists in localStorage)
  • Keyboard shortcuts/ search, N new memory, ? help, Esc close, Ctrl+K command palette
  • Mobile-responsive web UI (375px–700px breakpoints, 44×44px touch targets)
  • CSV export in addition to JSON

v1.7.2

  • Self-hosted web modeele web --host 0.0.0.0 for multi-device LAN access
  • Security warning when exposing without auth
  • Neon elephant logo in sidebar + static asset serving

Full changelog: https://github.com/darknodebros/EleSync/blob/master/CHANGELOG.md

Install / upgrade:

pip install --upgrade elesync
ele --version   # should show 1.7.4

EleSync v1.7.1

Choose a tag to compare

@Alphanymous Alphanymous released this 03 Jul 08:18

Fixed

  • MCP Registry publishing restored. The registry validates ownership by
    requiring mcp-name: io.github.darknodebros/elesync inside the PyPI README
    of the exact version being published. That marker was dropped in the
    README rewrite (d440aa8), so every registry publish since silently failed
    server-side validation and the registry entry froze at 1.3.0. The marker is
    back (as an HTML comment, invisible on PyPI/GitHub), and
    tests/test_packaging.py now fails the build if it is ever removed again,
    alongside checks that pyproject, __init__, and server.json versions agree.
  • Windows ConnectionAbortedError [WinError 10053] on rejected writes.
    The web dashboard's 401/403 auth gates responded before reading the request
    body; closing the connection with unread data triggers a TCP reset, which
    Windows clients surface as a connection abort instead of the status code.
    The gates now drain the unread body (capped at 1 MiB) before rejecting.
  • Base CI job green again. The web-auth test suites hash passwords, but
    the extras-free CI job has no bcrypt - 22 tests errored on every run since
    the web-auth PRs landed. They now skip cleanly without bcrypt, following the
    same convention as the fastembed and mcp-SDK guards. The one test that
    specifically exercises the missing-bcrypt error message stays unguarded.

Added

  • CI fails on version drift between pyproject.toml, server.json, and
    __init__.__version__ - the manifest shipped stale in two consecutive
    releases; now it cannot.

EleSync v1.7.0

Choose a tag to compare

@Alphanymous Alphanymous released this 03 Jul 04:59

Added

  • Web dashboard authentication, fully wired up — ele web adduser <name>
    turns on login for that vault's dashboard; ele web listusers /
    ele web removeuser manage it. No users configured means no change from
    today: the dashboard stays open on 127.0.0.1 exactly as before.

    • Passwords are bcrypt-hashed (elesync[webauth] extra), work factor
      configurable via ELE_BCRYPT_ROUNDS for fast test runs.
    • Sessions are cookie-based (HttpOnly, SameSite=Strict), and the
      token itself is never written to disk — web_sessions.json stores
      SHA-256 hashes, so reading that file doesn't hand out a live session.
    • Role-based access: --role viewer accounts can browse/search but get
      a real server-side 403 on any write — enforced at the API layer, not
      just hidden in the UI.
    • Auth state lives in <vault>/.web_auth/, so it travels with the vault
      (matters for USB vaults and multiple named vaults).
    • Removed the wildcard Access-Control-Allow-Origin: * from the web
      server while in there — the dashboard is same-origin by design (you
      open 127.0.0.1:7477 directly), so the wildcard only ever served to
      let any webpage's JavaScript read/write your vault via a background
      fetch() call. Latent gap, independent of the auth work; closed now
      rather than left for later.
  • ele doctor --fix — the health check can now repair fixable
    diagnostics (e.g. re-wiring a missing or stale mcpServers entry in a
    client config) instead of only reporting them. Run ele doctor alone
    for a read-only check, add --fix to apply repairs and re-verify.

Fixed

  • elesync/__init__.py's module docstring read "unified elesync" instead
    of "unified memory system" — copy-paste artifact from early in the
    project, harmless but silly every time you saw it.
  • cmd_vault_list's f-string used the same quote character for both the
    outer f-string and an inner dict key (f"{"Name":<20}..."), which is
    only valid on Python 3.12+ despite this project targeting 3.10 — would
    have crashed on ele vault list for anyone on 3.10 or 3.11.

v1.6.0

Choose a tag to compare

@Alphanymous Alphanymous released this 30 Jun 23:00

What's Changed

  • feat: conflict resolution workflow (ele resolve-conflict) by @Alphanymous in #70

Full Changelog: v1.5.4...v1.6.0

v1.5.4 - Claude memories/projects + Copilot CSV import fixes

Choose a tag to compare

@Alphanymous Alphanymous released this 28 Jun 07:44

Fixed

  • Claude.ai memories.json import — the real shape (conversations_memory + project_memories) wasn't recognized; always imported 0. Now correctly extracts both account-level and project-level narratives.
  • Claude.ai Project export docs — attached content in docs[].content wasn't recognized at all. Now imports correctly.
  • Microsoft Copilot CSV importnormalize_file() only parsed JSON, so Copilot's CSV export failed immediately. Verified against a real 405-row export: 12 conversations imported correctly, including a fix for same-second timestamp ordering.

See CHANGELOG.md for full details.

v1.5.3 - Claude conversation import fix

Choose a tag to compare

@Alphanymous Alphanymous released this 28 Jun 01:38

Fixed

  • Claude.ai conversation export import. from_conversations() only recognized
    {messages: [...]} / {mapping: {...}} with plain-string content. Claude.ai's
    real "Export Data" output uses chat_messages, sender (not role), name
    (not title), and content as a list of Anthropic-style blocks rather than a
    string. Every Claude conversation export was silently importing 0 memories.
    Verified against a real 93-conversation export.

Added

  • Remote MCP transport (ele serve --transport http) for clients that need
    Streamable HTTP instead of stdio — e.g. ChatGPT's Developer Mode connector.
    Verified live against a real ChatGPT connection through a tunnel.

See CHANGELOG.md for full details.

v1.5.2 - Web UI Fix

Choose a tag to compare

@Alphanymous Alphanymous released this 25 Jun 19:31

v1.5.2 Patch Release - Critical fix for Web UI. Fixes JavaScript syntax error that prevented the embedded web UI from rendering in v1.5.1. The ele web dashboard now loads correctly. No other changes - safe upgrade from v1.5.1.

EleSync v1.5.1

Choose a tag to compare

@Alphanymous Alphanymous released this 25 Jun 03:48
4749dae

Added

  • Vault switcher in web UI — switch vaults from the sidebar with path + optional passphrase dialog.
  • Conversation display in memory cards — memories with User:/Assistant: lines render as styled chat bubbles.
  • USB "Access this vault" button — opens vault switch dialog pre-filled with USB drive path.
  • Built-in web UI — browse, search, import, and manage your vault from any browser.

Changed

  • Updated website to v1.5.1 with web UI feature card.