Skip to content

v0.2.82

Choose a tag to compare

@larryro larryro released this 07 Jun 03:36
05d71d4

v0.2.82 — Data residency, passkeys, and Auto routing

This release adds deployment-level data residency for self-hosted instances (external knowledge Postgres, app Postgres, and S3 file storage), WebAuthn/passkeys with 2FA enforcement, and an "Auto" agent mode that routes each message to the right agent server-side. It also lands a broad performance pass across dashboard navigation, chat/org switching, and Convex per-request auth cost, plus org-configurable session idle timeout, out-of-band audit-integrity alerts, dependency CVE patches, and a large batch of table and chat UI polish.

🔒 Security

  • WebAuthn / passkeys: enroll, sign in, and revoke passkeys from account settings, with register/revoke audit entries. A registered passkey satisfies an enforced two_factor_policy alongside TOTP, so passkey-only users are never bounced to the TOTP wall. (#1822)
  • Org-configurable session idle timeout: admins can set the inactivity window from Settings → Security. The deployment-wide SESSION_IDLE_TIMEOUT_MINUTES stays the server-side hard cap — an org may only tighten it, never extend past it — and drives the client idle watchdog. (#1819)
  • Out-of-band alerting on audit-log integrity failure: the nightly hash-chain/checkpoint verification now raises a critical security notification (in-app bell + Slack fan-out) to org admins on any chain break, truncation, or checkpoint mismatch, not just an in-band audit row. (#1820)
  • Env-var source for provider API keys: a provider or model may set a secretsEnv field in its public <provider>.json to source the key from an environment variable, for operators whose secrets live in Kubernetes Secrets / Vault / cloud secret managers. The env-var name must use the reserved TALE_PROVIDER_KEY_ prefix and is fail-closed — unset, empty, or non-prefixed names fall back to the existing file key, so file-only deployments are unchanged. (#1711, #1832)
  • Failed-login lockout advisory: a failed credential attempt now shows a calm advisory that repeated failures temporarily lock the account. Deliberately not a per-attempt counter, which would reintroduce account enumeration and hand attackers a brute-force budget. (#1811)
  • Dependency security patches: hono 4.12.21 (mount-prefix advisory, #1830) and the vitest toolchain 4.1.8 (clears the critical otelCarrier advisory GHSA-2h32-95rg-cppp, #1823). Recorded accept-risk CVE suppressions and documented the security-update flow ahead of ratcheting the CVE gate. (#1821)

🤖 Model & Provider

  • "Auto" agent mode: when no assistant is pinned, the composer sends an auto sentinel and the server resolves it to a concrete agent before generation, so the thread commits the real agent from the first frame. Routing uses a cheapest-first ladder (≤1 candidate or trivial greeting → no LLM call; otherwise one timeout-raced classifier call that degrades to the default agent on timeout or failure, never blocking first-token latency). Agents now also support ordered multi-model selection — the first model is the default, the rest are fallbacks. (#1829)

🚀 Features

  • Deployment-level data residency: a flag-gated admin UI (Settings → Data residency) points a self-hosted deployment's knowledge Postgres, app Postgres, and Convex file storage at customer-controlled infrastructure. Config is a deployment-scoped deployment.json (+ SOPS secrets), consumed by the rag and convex entrypoints at boot and fail-closed; absent config keeps today's defaults. Includes per-section connection testing and an opt-in controller sidecar for one-click "Apply & restart". Writes are gated by org owner/admin plus the TALE_DEPLOYMENT_CONFIG_UI flag. (#1827)
  • Automation tester result feedback: the test panel now subscribes to the run it started and shows live status — running (with the current step), completed, or failed (with the failing step name and error) — instead of only toasting "execution started". (#1817)

⚡ Performance

  • Near-instant warm dashboard page transitions: fixed route-loader prefetches that never matched the table's actual usePaginatedQuery subscription, so navigating between list pages no longer flashes a skeleton. (#1833)
  • Reduced Convex per-request auth + query cost: request-scoped memoization resolves {user, orgs, teams} once per request instead of repeating cross-component Better Auth calls on the hot path (amplified ~5–10× on self-hosted), plus a set of query/frontend cleanups. Behavior-preserving. (#1831)
  • Faster chat switch, org switch, and setting toggles: consolidated four per-thread queries into one getThreadMeta behind a single access check, de-waterfalled org switching, fixed N+1/unindexed queries, and added optimistic updates to toggles. (#1825)
  • Gated cold-load queries on auth via an account bootstrap, so unauthenticated cold loads stop firing data queries.

🛠 Improvements

  • Split People settings into dedicated Organization and Teams destinations: Members now live under Organization (prefetched in the route loader), Teams get their own /settings/teams route, and /settings/people redirects so existing links keep working. (#1836)
  • Shared DataTable polish: fixed-width select-checkbox and row-actions columns align across every table, consistent row height, and skeletons that match the real table layout. (#1835)
  • Raised form-label contrast to text-foreground at the shared-component level (a11y), polished the filter popover and read-only email surfaces, and refreshed the feature-chat marketing image. (#1834)
  • Polished the list header, mobile header, chat toolbar, loading skeletons, and tab navigation. (#1824)

🐛 Fixes

  • Made chat auto-scroll instant so sending a message no longer stalls part-way up the thread. (#1826)
  • Preserve reasoning and tool parts when branching an edited chat, and keep chat markdown headings plain (no doc-style anchors).
  • Keep one-off translation requests in the reply language. (#1813)
  • Highlight a duplicated agent as a new row. (#1812)
  • Keep tooltips clear of viewport edges and controls. (#1814)
  • Fixed Vite dep-optimizer 404s and tab-underline alignment. (#1828)
  • Made the read-aloud toggle available on a new chat.
  • Aligned the provider-details, add-provider, provider-options, and erasure-request drawers with the shared settings-UI chrome.
  • Relaxed the platform health-check interval to cut boot noise. (proxy, #1815)
  • A batch of skeleton, mobile-header, table min-width, automation-centering, and retention-timeline mobile-width fixes.

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — all schema changes this release are additive (new optional fields, new indexes, and a new session_idle_timeout governance policy) and apply automatically on deploy. Three new capabilities are opt-in and leave existing behavior unchanged:

  • Data residency — set TALE_DEPLOYMENT_CONFIG_UI to expose the write UI, and optionally set CONTROLLER_TOKEN to enable the controller sidecar for one-click "Apply & restart" (otherwise apply with docker compose restart rag convex). An external knowledge DB must run ParadeDB (pgvector + pg_search) or hybrid search degrades to vector-only; switching local → S3 file storage is greenfield and does not migrate existing blobs.
  • Env-sourced provider keys — add a secretsEnv field to a provider/model in <provider>.json pointing at an env var named with the reserved TALE_PROVIDER_KEY_ prefix. Leave it unset to keep using file-based keys.

Contributors

@yannickmonney, @larryro, @Israeltheminer, @AdeolaAdekoya, plus dependency security updates via Renovate.


Full Changelog: v0.2.81...v0.2.82