v0.2.82
v0.2.82 — Data residency, passkeys, and Auto routing
This release adds deployment-level data residency for self-hosted instances (external knowledge Postgres, app Postgres, and S3 file storage), WebAuthn/passkeys with 2FA enforcement, and an "Auto" agent mode that routes each message to the right agent server-side. It also lands a broad performance pass across dashboard navigation, chat/org switching, and Convex per-request auth cost, plus org-configurable session idle timeout, out-of-band audit-integrity alerts, dependency CVE patches, and a large batch of table and chat UI polish.
🔒 Security
- WebAuthn / passkeys: enroll, sign in, and revoke passkeys from account settings, with register/revoke audit entries. A registered passkey satisfies an enforced
two_factor_policyalongside TOTP, so passkey-only users are never bounced to the TOTP wall. (#1822) - Org-configurable session idle timeout: admins can set the inactivity window from Settings → Security. The deployment-wide
SESSION_IDLE_TIMEOUT_MINUTESstays the server-side hard cap — an org may only tighten it, never extend past it — and drives the client idle watchdog. (#1819) - Out-of-band alerting on audit-log integrity failure: the nightly hash-chain/checkpoint verification now raises a critical
securitynotification (in-app bell + Slack fan-out) to org admins on any chain break, truncation, or checkpoint mismatch, not just an in-band audit row. (#1820) - Env-var source for provider API keys: a provider or model may set a
secretsEnvfield in its public<provider>.jsonto source the key from an environment variable, for operators whose secrets live in Kubernetes Secrets / Vault / cloud secret managers. The env-var name must use the reservedTALE_PROVIDER_KEY_prefix and is fail-closed — unset, empty, or non-prefixed names fall back to the existing file key, so file-only deployments are unchanged. (#1711, #1832) - Failed-login lockout advisory: a failed credential attempt now shows a calm advisory that repeated failures temporarily lock the account. Deliberately not a per-attempt counter, which would reintroduce account enumeration and hand attackers a brute-force budget. (#1811)
- Dependency security patches: hono 4.12.21 (mount-prefix advisory, #1830) and the vitest toolchain 4.1.8 (clears the critical
otelCarrieradvisory GHSA-2h32-95rg-cppp, #1823). Recorded accept-risk CVE suppressions and documented the security-update flow ahead of ratcheting the CVE gate. (#1821)
🤖 Model & Provider
- "Auto" agent mode: when no assistant is pinned, the composer sends an auto sentinel and the server resolves it to a concrete agent before generation, so the thread commits the real agent from the first frame. Routing uses a cheapest-first ladder (≤1 candidate or trivial greeting → no LLM call; otherwise one timeout-raced classifier call that degrades to the default agent on timeout or failure, never blocking first-token latency). Agents now also support ordered multi-model selection — the first model is the default, the rest are fallbacks. (#1829)
🚀 Features
- Deployment-level data residency: a flag-gated admin UI (Settings → Data residency) points a self-hosted deployment's knowledge Postgres, app Postgres, and Convex file storage at customer-controlled infrastructure. Config is a deployment-scoped
deployment.json(+ SOPS secrets), consumed by theragandconvexentrypoints at boot and fail-closed; absent config keeps today's defaults. Includes per-section connection testing and an opt-incontrollersidecar for one-click "Apply & restart". Writes are gated by org owner/admin plus theTALE_DEPLOYMENT_CONFIG_UIflag. (#1827) - Automation tester result feedback: the test panel now subscribes to the run it started and shows live status — running (with the current step), completed, or failed (with the failing step name and error) — instead of only toasting "execution started". (#1817)
⚡ Performance
- Near-instant warm dashboard page transitions: fixed route-loader prefetches that never matched the table's actual
usePaginatedQuerysubscription, so navigating between list pages no longer flashes a skeleton. (#1833) - Reduced Convex per-request auth + query cost: request-scoped memoization resolves
{user, orgs, teams}once per request instead of repeating cross-component Better Auth calls on the hot path (amplified ~5–10× on self-hosted), plus a set of query/frontend cleanups. Behavior-preserving. (#1831) - Faster chat switch, org switch, and setting toggles: consolidated four per-thread queries into one
getThreadMetabehind a single access check, de-waterfalled org switching, fixed N+1/unindexed queries, and added optimistic updates to toggles. (#1825) - Gated cold-load queries on auth via an account bootstrap, so unauthenticated cold loads stop firing data queries.
🛠 Improvements
- Split People settings into dedicated Organization and Teams destinations: Members now live under Organization (prefetched in the route loader), Teams get their own
/settings/teamsroute, and/settings/peopleredirects so existing links keep working. (#1836) - Shared DataTable polish: fixed-width select-checkbox and row-actions columns align across every table, consistent row height, and skeletons that match the real table layout. (#1835)
- Raised form-label contrast to
text-foregroundat the shared-component level (a11y), polished the filter popover and read-only email surfaces, and refreshed the feature-chat marketing image. (#1834) - Polished the list header, mobile header, chat toolbar, loading skeletons, and tab navigation. (#1824)
🐛 Fixes
- Made chat auto-scroll instant so sending a message no longer stalls part-way up the thread. (#1826)
- Preserve reasoning and tool parts when branching an edited chat, and keep chat markdown headings plain (no doc-style anchors).
- Keep one-off translation requests in the reply language. (#1813)
- Highlight a duplicated agent as a new row. (#1812)
- Keep tooltips clear of viewport edges and controls. (#1814)
- Fixed Vite dep-optimizer 404s and tab-underline alignment. (#1828)
- Made the read-aloud toggle available on a new chat.
- Aligned the provider-details, add-provider, provider-options, and erasure-request drawers with the shared settings-UI chrome.
- Relaxed the platform health-check interval to cut boot noise. (proxy, #1815)
- A batch of skeleton, mobile-header, table min-width, automation-centering, and retention-timeline mobile-width fixes.
Upgrade
Run tale upgrade to update the CLI, then tale deploy to apply the new version.
No manual migration is required — all schema changes this release are additive (new optional fields, new indexes, and a new session_idle_timeout governance policy) and apply automatically on deploy. Three new capabilities are opt-in and leave existing behavior unchanged:
- Data residency — set
TALE_DEPLOYMENT_CONFIG_UIto expose the write UI, and optionally setCONTROLLER_TOKENto enable thecontrollersidecar for one-click "Apply & restart" (otherwise apply withdocker compose restart rag convex). An external knowledge DB must run ParadeDB (pgvector + pg_search) or hybrid search degrades to vector-only; switching local → S3 file storage is greenfield and does not migrate existing blobs. - Env-sourced provider keys — add a
secretsEnvfield to a provider/model in<provider>.jsonpointing at an env var named with the reservedTALE_PROVIDER_KEY_prefix. Leave it unset to keep using file-based keys.
Contributors
@yannickmonney, @larryro, @Israeltheminer, @AdeolaAdekoya, plus dependency security updates via Renovate.
Full Changelog: v0.2.81...v0.2.82