v0.2.81 — Tasks, collaboration, and session security
v0.2.81 — Tasks, collaboration, and session security
This release adds a task platform with a collaborative inbox and project-scoped secrets, plus Slack and Confluence integrations and a generic OIDC SSO adapter. It hardens sessions with optional server-side idle timeout and adds daily audit-log integrity verification, alongside dependency CVE patches and a large batch of UI and import fixes.
🔒 Security
- Server-side session idle timeout: set the optional
SESSION_IDLE_TIMEOUT_MINUTES(1–1440) to sign a session out after inactivity. The window slides on activity and is enforced server-side across email/password, SSO, and trusted-headers sessions; the client also warns and signs out idle sessions. Unset by default, so existing behavior is unchanged. (#1808, #1810) - Daily audit-log integrity check: the hash-chain + checkpoint verification that previously ran only on demand now runs daily across every org and raises a security-category audit row plus a structured alert on any chain break, truncation, checkpoint mismatch, or unsigned PII scrub. (#1805)
- Force re-authentication after a voluntary password change so prior sessions can't continue. (#1769)
- Block CI on high/critical CVEs and fast-track Renovate security updates (supply-chain hardening). (#1784)
- Dependency security patches: axios 1.16.0 (#1788), python-multipart 0.0.27 (#1787), brace-expansion 5.0.6 (#1785), turbo 2.9.14 (#1786).
🤖 Model & Provider
- Centralize AI reply-language behind a shared priority chain (explicit request → message language → browser-locale fallback) and remove the per-agent language block from all shipped agents, so reply-language resolves consistently across agents. (#1795)
🚀 Features
- Task platform with a collaborative inbox: tasks, comments, activity, dependencies, and board views, with project-scoped secrets, per-agent secret access, and user notifications/subscriptions. (#1761)
- Slack integration: inbound bot (app mentions and DMs) and outbound workflow/security notifications, via a bring-your-own Slack app installed by manifest + OAuth. (#1762)
- Confluence Cloud read-only sync integration. (#1807)
- Generic OIDC identity-provider adapter for SSO. (#1809)
- Upload product images during product create/edit. (#1797)
🛠 Improvements
- Consolidate API settings into a single page and refine the navigation chrome and account menu. (#1806)
- Assign documents and folders to multiple teams. (#1773)
- Default to the team context in the prompt library's Team tab. (#1798)
- Show price, category, and status in the product list. (#1767)
- Show tags and assigned team on prompt list rows. (#1777)
- Paginate the organization members table. (#1796)
- Clarify upload-success vs. background-indexing copy, and hide masked content behind a skeleton while loading. (#1778, #1779)
🐛 Fixes
- Ignore a spurious empty Radix Select change that falsely dirtied org settings. (#1816)
- Accept
uiLanguagein the shared userContext validator. (#1802) - Gate the DB healthcheck on an init-completion marker. (#1801)
- Make form-field borders visible in light mode, and cap the select dropdown height to the viewport. (#1800, #1799)
- Validate required columns on product CSV import, and harden customer/vendor import against silent data loss. (#1793, #1766)
- Gate the automation tester on input validation, and add a timeout to the MCP server connection test. (#1792, #1790)
- Lock upload team selection to the folder's team. (#1776)
- Gate create-dialog submit buttons on form validity. (#1765)
- Surface the missing-password error on the add-member form. (#1768)
- Reject conflicting allow/block extensions in the upload policy. (#1770)
- Use sensible thread titles for attachment-only chats, and stop dictation when a chat message is sent. (#1771, #1772)
- Label custom condition branches in the automation flow. (#1774)
- Right-align the team row action menu. (#1794)
- Comment cascade, screenshot, notification skeleton, and label fixes. (#1763)
📝 Other
- Document PII at-rest posture (Option B). (#1804)
- Cryptography reference aligned with BSI TR-02102-1. (#1780)
- Worked examples: Prometheus + Grafana, audit-log export, and modular AI-directed test guides per feature module. (#1781, #1782, #1783)
- Private-host provider policy + OAuth2 callback URL docs, and fix the OpenAI-compatible endpoint path. (#1775, #1764)
Upgrade
Run tale upgrade to update the CLI, then tale deploy to apply the new version.
No manual migration is required — new tables and the daily audit-log integrity check apply automatically on deploy. Optionally, set SESSION_IDLE_TIMEOUT_MINUTES (1–1440) to enable server-side idle sign-out; leave it unset to keep the current session lifetime.
Contributors
@yannickmonney, @larryro, @Israeltheminer, plus dependency security updates via Renovate.
Full Changelog: v0.2.80...v0.2.81