v0.1.6

[0.1.6] — 2026-05-04

Lets docsiq run on a non-loopback host without an API key when the
operator explicitly opts in. Default behavior is unchanged — every
existing install boots identically.

Added

• server.allow_unauthenticated (env:
  DOCSIQ_SERVER_ALLOW_UNAUTHENTICATED=true). When set, docsiq starts
  even with an empty server.api_key on a non-loopback bind. Use this
  on trusted private networks (homelabs, single-tenant LANs, air-gapped
  clusters) where the boot gate is purely a ritual. Never enable on
  the public internet — every indexed document and the LLM proxy
  become reachable to anyone on the bind address.

  Boot-time warning when the override is active:

  ⚠️ auth disabled and server.allow_unauthenticated=true — anyone
  reachable on this network can read all data and use the LLM proxy;
  do NOT enable on the public internet  host=0.0.0.0 port=8080
  

  (#98)

Changed

• The "refusing to start" boot errors now name the override env var so
  anyone who hits the refusal sees both escape hatches (set a key OR
  set the override) without grepping the docs. (#98)

Upgrade impact

Drop-in. Default value of the new key is false. Existing installs
behave identically to v0.1.5. The override is opt-in only.

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.6-linux-amd64.pem \
  --signature docsiq-v0.1.6-linux-amd64.sig \
  docsiq-v0.1.6-linux-amd64

v0.1.5

[0.1.5] — 2026-05-04

Build-pipeline fix so go install github.com/RandomCodeSpace/docsiq@v0.1.5
produces a binary with the embedded React UI included. No application
source changes vs v0.1.4 — prebuilt signed release binaries are
behaviorally identical.

Fixed

• go install now ships a working UI. Previously ui/dist/ was
  gitignored on main (only a placeholder index.html was committed),
  so proxy.golang.org mirrored a tree without the hashed JS/CSS
  bundles, and //go:embed ui/dist baked in only the placeholder. The
  binary 404'd on every /assets/* request. The release workflow now
  creates an ephemeral commit on a detached HEAD that force-adds the
  freshly-built ui/dist/, and tags that commit as v0.1.5. main
  itself is unchanged. (#97)

Changed

• .github/workflows/release.yml — release: job now downloads the
  ui-dist artifact, force-adds ui/dist/ past .gitignore, commits
  on a detached HEAD, tags the new commit, and pushes only the tag.

Upgrade impact

Drop-in. No code or config changes. If you were already using
prebuilt signed binaries from the release page, behavior is identical
to v0.1.4. If you were using go install, the embedded UI now
actually works — you no longer need to download a release asset just
to use docsiq serve.

Reminder: docsiq still needs the sqlite_fts5 build tag (and a C
toolchain) for go install, per the v0.1.4 notes:

GOFLAGS='-tags=sqlite_fts5' go install github.com/RandomCodeSpace/docsiq@v0.1.5

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.5-linux-amd64.pem \
  --signature docsiq-v0.1.5-linux-amd64.sig \
  docsiq-v0.1.5-linux-amd64

v0.1.4

[0.1.4] — 2026-05-04

Two install-path bug-fixes plus a docs note for the third — all surfaced
by a real user trying to install behind a corporate proxy.

Fixed

• internal/config/config.go now binds every defaulted key to its
  DOCSIQ_<UPPER_KEY> env variant via a single
  for _, key := range v.AllKeys() { _ = v.BindEnv(key) } after defaults
  are set. Previously only ~9 keys were explicitly bound, which meant
  DOCSIQ_LLM_PROVIDER, DOCSIQ_LLM_OLLAMA_CHAT_MODEL,
  DOCSIQ_LLM_AZURE_*, DOCSIQ_LLM_OPENAI_*, DOCSIQ_DATA_DIR,
  DOCSIQ_INDEXING_*, etc. were silently ignored when no config file was
  present (Viper #761 — AutomaticEnv + Unmarshal doesn't see env-only
  keys without explicit BindEnv). The existing explicit BindEnv calls
  for server.api_key, workq_workers, etc. are retained — they
  document the secondary DOCSIQ_API_KEY alias and harmlessly
  double-bind. (#95)

Added

• internal/config/config_test.go — TestLoad_EnvOverridesLLM regression
  test that asserts DOCSIQ_LLM_OLLAMA_CHAT_MODEL,
  DOCSIQ_LLM_OLLAMA_EMBED_MODEL, DOCSIQ_LLM_PROVIDER,
  DOCSIQ_LLM_AZURE_API_KEY, and DOCSIQ_DATA_DIR all reach the
  populated *Config struct without a config file present. (#95)

Changed

• docs/getting-started.md "Install" section now uses
  GOFLAGS='-tags=sqlite_fts5' go install github.com/RandomCodeSpace/docsiq@latest
  with an explicit explanation that the build tag is required because
  docsiq uses SQLite's FTS5 extension via mattn/go-sqlite3 — without
  it the binary fails at runtime with unable to open store: no such module: fts5 when opening any project DB. (#95)

Known limitations

• go install does not produce a working web UI. docsiq's React UI
  is embedded via //go:embed ui/dist, but the ui/dist/ build outputs
  are intentionally gitignored — only a placeholder index.html is
  committed. The release pipeline runs npm run build before go build,
  so the prebuilt release binaries on this page have the full UI
  baked in. A go install build, by contrast, embeds only the
  placeholder index.html and hits 404 on every /assets/* request.
  For docsiq serve use cases, install via
  gh release download v0.1.4 --repo RandomCodeSpace/docsiq --pattern 'docsiq-*-linux-amd64*'
  (or your platform's equivalent asset). The CLI commands
  (docsiq index, docsiq version, docsiq projects, etc.) work
  correctly on a go install build; only the embedded UI is affected.
  Tracked as a follow-up.

Upgrade impact

Drop-in for the test suite and config layer. Previously-ignored env
vars are now honoured — if you had DOCSIQ_LLM_* or
DOCSIQ_INDEXING_* set in a shell or CI environment, those values
will now reach docsiq where they were silently dropped before. Audit
your environment for unintended DOCSIQ_* settings before deploying.

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.4-linux-amd64.pem \
  --signature docsiq-v0.1.4-linux-amd64.sig \
  docsiq-v0.1.4-linux-amd64

v0.1.3

[0.1.3] — 2026-05-04

Re-tag of v0.1.2's tree to refresh distribution channels. No source
changes — the binary content is identical to v0.1.2.

Why

A consumer reported go install github.com/RandomCodeSpace/docsiq@v0.1.2
failing in their local environment while v0.1.0 worked. The v0.1.2 tag,
GitHub release, proxy.golang.org cache, and sum.golang.org checksum
DB are all healthy and signed; the failure was downstream of those. This
release is published primarily to give the affected install a fresh tag
to retry against.

Reference

• Upstream commit: afdacc5639d3 (same as v0.1.2)
• Functionality identical to v0.1.2 — see v0.1.2 notes
  for the per-phase upload progress feedback that landed there.

Upgrade impact

Drop-in. No code changes; refresh of signed binaries and re-publication
through the release pipeline only.

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.3-linux-amd64.pem \
  --signature docsiq-v0.1.3-linux-amd64.sig \
  docsiq-v0.1.3-linux-amd64

v0.1.2

[0.1.2] — 2026-05-03

UX patch: per-phase upload progress feedback. Indexing is no longer a
black box from the UI's perspective.

Added

• pipeline.ProgressEvent extended with File, ChunksDone,
  ChunksTotal. The pipeline now emits progress events at every phase
  boundary in indexFile (chunked → embed → entities → relationships →
  claims → structure → done) via a non-blocking send so a slow consumer
  never stalls indexing. Existing CLI callers that pass a nil progress
  channel keep working unchanged. (#94)
• GET /api/upload/progress?job_id=... now streams JSON-encoded
  ProgressEvent frames over SSE: each frame carries
  {job_id, file, phase, chunks_done, chunks_total, message, done, error},
  ending with a terminal done:true event that includes the final error
  string (if any). The legacy plaintext message format is preserved when
  callers omit ?job_id so older integrations keep working. (#94)
• New useUploadProgress React hook backed by fetch +
  ReadableStream, with a shared store via useSyncExternalStore so
  any component can subscribe to a job's live state. (#94)

Changed

• Documents → Upload modal now renders a per-file row with the current
  phase label, a chunk progress counter (embed 12/47 chunks), and an
  inline error message for any phase that fails. aria-live=polite so
  the progress is announced to screen readers. The previous modal showed
  nothing past "uploading" until the indexing job completed. (#94)

Upgrade impact

Drop-in. The structured SSE format is opt-in via the new ?job_id=...
query parameter; clients that omit it still receive plaintext events.
No schema changes, no breaking API changes.

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.2-linux-amd64.pem \
  --signature docsiq-v0.1.2-linux-amd64.sig \
  docsiq-v0.1.2-linux-amd64

v0.1.1

[0.1.1] — 2026-05-03

UI bug-fix release. The Documents view now actually renders document
bodies, the Graph view shows the entity graph from the indexing
pipeline (with a toggle back to the Notes graph), and the CLI no longer
panics when run with provider=none.

Added

• GET /api/documents/{id}/chunks — returns the ordered chunks for a
  document so clients can render the indexed body. Each chunk carries
  id, chunk_index, content, and token_count. (#93)
• GET /api/graph?project=... — returns the full entity graph as
  {nodes, edges}, shaped to match the UI's existing
  RawGraphResponse so the same GraphCanvas can render it. (#93)
• README "Build from source": prerequisite paragraph that names the C
  toolchain requirement and the misleading undefined: sqlitevec.LoadInto
  symptom that surfaces when CGO is silently disabled because gcc
  isn't on PATH. (#92)

Fixed

• DocumentView now renders the body of indexed documents — markdown
  routed through markdown-it (already a dep), with a <pre> fallback
  for other doc types. The previous view only rendered title + doc_type · v<n>, leaving every opened document looking blank. (#93)
• The Graph route now loads both the entity graph (from the indexing
  pipeline) and the notes graph (wikilinks between authored notes),
  defaults to the entity graph when it has nodes, and exposes a small
  toggle so users can switch. The previous route was hard-wired to
  useNotesGraph, so any indexed corpus without hand-authored notes
  always rendered the empty state. (#93)
• pipeline.indexFile no longer panics on (*Embedder).EmbedTexts
  when running with DOCSIQ_LLM_PROVIDER=none / graph-only flow. The
  CLAUDE.md guarantee that the embedder is nil-safe in this mode is
  now actually honoured: the embed phase is skipped, chunks are still
  persisted, downstream extraction runs against raw text. (#93)

Upgrade impact

Drop-in. Two new GET endpoints, no schema changes, no breaking API
changes. Existing UI clients see two new behaviours:

• The Documents tab now renders chunk content for any document with
  indexed chunks. If you opened an empty / un-indexed project, you'll
  now see an explicit "no content available" empty state instead of a
  bare title.
• The Graph tab defaults to the entity graph for any project with
  extracted entities; click the Notes graph toggle in the page
  header to switch back to the previous behaviour.

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.1-linux-amd64.pem \
  --signature docsiq-v0.1.1-linux-amd64.sig \
  docsiq-v0.1.1-linux-amd64

v0.1.0

[0.1.0] — 2026-05-03

Production-polish release: completes the seven-block roadmap (critical
ship-blockers → OSS polish), adds Playwright e2e + Scorecard hardening,
and ships a focused round of UI / search bug fixes.

Added

• Block 1 — critical ship-blockers: upload size cap, auth hardening,
  bounded workq, scoped search. (#60)
• Block 2 — security & auth hardening: CSP, baseline security
  headers, config validation, secret redaction in logs, req_id slog
  field. (#68)
• Block 3 — resource safety & correctness: SQLite hardening,
  HTTP/LLM client timeouts, backpressure, context-propagation audit,
  graceful shutdown. (#73)
• Block 4 — observability & ops: /version, /healthz, Prometheus
  /metrics, structured access log, --log-format flag. (#74)
• Block 5 — UI polish: error boundary, loading/empty/error state
  trio, accessibility pass, prefers-reduced-motion, theme-flash fix,
  mobile viewport. (#71)
• Block 6 — testing & CI hardening: govulncheck, npm audit,
  fuzz workflow, flake-gate, smoke tests, pipeline integration tests.
  (#70)
• Block 7 — OSS polish: README, CONTRIBUTING, SECURITY, quickstart,
  screenshots, badges, annotated example config. (#69)
• Playwright e2e smoke tests with UI-scoped CI. (#57)
• Visible auth-required affordance on 401. (#76)
• Scale tests gated behind scale build tag, run nightly. (#75)
• OpenSSF Scorecard hardening recipe (RAN-51). (#82)

Changed

• Per-version keep-a-changelog entries; [Unreleased] is the working
  surface (RAN-61). (#83)
• TypeScript 6, Vite 8, @vitejs/plugin-react 6, vitest 4 — majors
  adopted across the UI. (#35)
• react-router-dom 6 → 7. (#31)
• tailwind-merge 2 → 3. (#27)
• mcp-go 0.45 → 0.49. (#24)
• cobra 1.8.1 → 1.10.2. (#23)
• golang.org/x/net 0.47 → 0.53. (#25)
• UI bundle budget bumped 580 KiB → 640 KiB. (#56)
• Internal planning scaffolding removed from repo. (#77)

Fixed

• apiFetch now preserves the multipart Content-Type boundary on
  uploads (RAN-34). (#78)
• MCP console 401s route through the shared auth banner (RAN-36). (#79)
• Local-search graph expansion is scoped to top-hit documents
  (RAN-35). (#80)
• vitest config pins NODE_ENV=test so production env shells pass
  (RAN-40). (#81)
• CodeQL go/command-injection finding in runGit closed. (#55)
• Playwright screenshots.spec.ts excluded from the default run; runs
  in the dedicated screenshots workflow only. (#72)

Upgrade impact

Drop-in replacement — no schema or API breaking changes. New
env- and flag-driven controls (CSP, --log-format, /metrics,
/healthz, /version) default to safe values; the auth-required UI
affordance is purely additive on 401. The local-search scoping change
can return slightly different results for queries where the previous
behaviour expanded into low-relevance documents — see #80 if you
depended on the previous expansion shape.

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.1.0-linux-amd64.pem \
  --signature docsiq-v0.1.0-linux-amd64.sig \
  docsiq-v0.1.0-linux-amd64

v0.0.3

What's Changed

Other Changes

• ci(release): switch to goreleaser (scorecard Packaging → detected) by @aksOps in #43
• fix(security): filepath.IsLocal sanitisers for CodeQL path/command-injection by @aksOps in #44
• chore: add .bestpractices.json for OpenSSF badge automation by @aksOps in #45
• chore: governance/community files + finish BestPractices passing tier by @aksOps in #46
• ci: drop push:main trigger from ci and fuzz (saves ~2min/merge) by @aksOps in #47
• chore: add CHANGELOG.md + fill missing BestPractices criteria by @aksOps in #48
• ci: drop macOS from test matrix (fix TestScale_1000Notes flake) by @aksOps in #49
• ci(release): drop goreleaser (Pro-only prebuilt) — inline cosign + gh release by @aksOps in #50

Full Changelog: v0.0.2...v0.0.3

Verify

All artifacts are signed with cosign keyless via Sigstore.

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/RandomCodeSpace/docsiq/\.github/workflows/release\.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate docsiq-v0.0.3-linux-amd64.pem \
  --signature docsiq-v0.0.3-linux-amd64.sig \
  docsiq-v0.0.3-linux-amd64

v0.0.2

docsiq v0.0.2 — Scorecard cadence fix

Small CI-only follow-up to v0.0.1. No user-facing behaviour changes.

Changes

• Scorecard workflow cadence — the scorecard.yml workflow now
  runs on release completion and on a weekly schedule, instead of
  firing on every push to main. The policy being scored is
  unchanged; this trims noise from re-scoring commits that don't
  move any scorecard-visible state. (#42)

Upgrade impact

Safe drop-in upgrade from v0.0.1. No API, CLI, or on-disk schema
changes. Users can replace the binary in place.

Security

Signing, SHA256SUMS, and SLSA provenance — all unchanged and present
in this release.

v0.0.1

docsiq v0.0.1 — first stable release

First non-beta release of docsiq after an extended beta phase. This
release establishes the feature set and API surface that subsequent
0.0.x patches will maintain back-compat against.

What's in the box

• GraphRAG indexing pipeline — five-phase ingestion: chunk → extract
  entities + relationships + claims → community-detect (Louvain) →
  embed → persist.
• Document loaders — PDF (langchaingo), DOCX, TXT, Markdown, and a
  polite web crawler with robots.txt + allow-list + MIME checks.
• Multi-provider LLM layer — Azure OpenAI, OpenAI, and Ollama behind
  a single internal/llm abstraction (langchaingo underneath).
• Query engine — hybrid local (vector + FTS5) and global
  (community-summary) search.
• Surfaces — CLI (docsiq index|search|serve), REST API, MCP
  server, and an embedded React SPA served by docsiq serve.
• Storage — single SQLite file with sqlite_fts5 + sqlite-vec
  for vector search. No external DB to deploy.

Install

# Signed binary
gh release download v0.0.1 -p 'docsiq-v0.0.1-linux-amd64*'

# Or from source
go install github.com/RandomCodeSpace/docsiq@v0.0.1

Upgrade impact

No previous stable release exists — this is v0.0.1. Users upgrading
from v0.0.0-beta.* should start with a fresh data directory; the
schema is the same as the final beta but the beta tags have been
retired.

Security

• All release binaries are signed with cosign keyless via Sigstore
  and anchored to the Rekor transparency log.
• A signed SHA256SUMS is included. Verification instructions are
  attached to this release.
• SLSA build provenance (.intoto.jsonl) accompanies the binaries.

Known limitations

• Darwin support is limited to arm64; amd64 binaries are not
  built (cgo + sqlite-vec cross-compile complexity).
• Pre-1.0: APIs and on-disk schema are not yet frozen.