Tale v0.2.88

What's Changed

• feat(platform): ambient "Queued for capacity" chip on parked task rows by @larryro in #2107
• docs(platform): clarify crons.ts module header comment (#99001) by @larryro in #1909
• fix: prefill passkey name from device info (#1948) by @larryro in #1968
• fix(platform): styled 404 for unknown dashboard routes (#2097) by @larryro in #2098
• fix(platform): remove member sorting from the team members table (#1953) by @larryro in #2106
• fix: remove search and multi-select from the token sources table (#1958) by @larryro in #2108
• fix: make Upload skill control a normal button (not a single-item dropdown) (#1955) by @larryro in #2103
• fix: rename all "Added on" labels to "Added" (#1956) by @larryro in #2105
• fix: move organization ID to API keys section description with copy button (#1952) by @larryro in #2102
• fix: localize model catalog last-synced date and add colon (#1959) by @larryro in #2109

Full Changelog: v0.2.87...v0.2.88

Tale v0.2.87

Highlights

Enterprise SSO & SCIM provisioning (#1936)

Unified, file-based Enterprise SSO replacing the old per-provider config: a single connection covering OIDC, OAuth2, and SAML, plus SCIM 2.0 user/group provisioning. Configured from the admin UI (Settings → Enterprise SSO). See the new Enterprise SSO docs.

Two-tier sandbox concurrency limits (#1971)

Sandbox concurrency is now governed at two levels: global environment caps and per-org governance. Default caps were lowered to suit a small host — operators on larger boxes should set these explicitly:

• SANDBOX_MAX_CONCURRENT default 4 → 2
• SANDBOX_MAX_SESSIONS default 10 → 2
• SANDBOX_MAX_SESSIONS_PER_ORG remains 50

Unified chat panel + branch-aware workspace inheritance (#1934)

Consolidated chat experience into a single panel, with sandbox workspaces that inherit from their parent branch.

Fixes

• Sandbox-agent 401 responses no longer launder into a fake success (#2100).
• Website scan no longer spins indefinitely on un-markable (canonical) URLs.

Operator notes

Migrations run automatically on tale deploy (auto-detected, confirmed at deploy). This release adds:

• Fold legacy audit_retention policy into retention_policy (destructive, reversible)
• Migrate ssoProviders into the file-based Enterprise SSO connection (reversible)
• Export orgPackagePolicy → file-based run_code governance policy (reversible)
• Export modelSyncSettings → file-based model_sync governance policy (reversible)
• Drop legacy orgPackagePolicy rows, post-export cleanup (destructive, reversible)
• Drop legacy modelSyncSettings rows, post-export cleanup (destructive, reversible)

Upgrade with tale upgrade, then tale deploy.

Tale v0.2.86

Tale v0.2.86

Website crawling now runs in-process (#1935)

Registered websites are now re-crawled by an in-process Convex cron (scan due websites, every 5 minutes) — the replacement for the former standalone crawler service's poll loop. Without it, registered websites never re-crawled after the standalone service was removed. Full-site sitemap discovery is also restored (the interim 100-URLs-per-scan cap was a regression); the discovery ceiling is tunable via the optional CRAWLER_MAX_DISCOVER_URLS env var.

Deploy fix: knowledge-db schema convergence

The private_knowledge and public_web baselines now idempotently add later columns (metadata, org_slug, the chunk overlap columns, …) onto pre-existing tables. Deployments whose knowledge databases were created by the old per-service RAG/crawler migrations — before the baseline consolidation in #1883 — previously crash-looped at deploy with column "metadata" does not exist. The change is metadata-only (every column is nullable or defaulted) and safe on populated tables.

Release pipeline now ships the controller and LLM-gateway images

tale-controller and tale-llm-gateway are now built and pushed as part of a release (11 service images total, native amd64 + arm64). They were previously built in CI but absent from the release image set.

---

Operators: upgrade with tale upgrade, then tale deploy. The schema convergence runs automatically via dbmate; no manual steps.

Tale v0.2.85

v0.2.85 — Apps platform, the AI Workforce, and persistent sandbox agents

This is a large release. It introduces a config-driven Apps platform (installable packs that bundle app-scoped agents, workflows, and sandbox-agent steps), the AI Workforce (an agent company with an organigram, task operations, and Discussions), and persistent sandbox agent sessions that run Claude Code with docker-in-sandbox, browser human-takeover, BYO credentials, and rotating token sources. It also ships SSO/identity hardening (generic OIDC claim mapping + PKCE, passkey/2FA controls, server-side idle timeout), a zero-friction guided setup, and a knowledge-platform refactor that moves RAG into the Convex backend behind a dedicated knowledge-db container.

🔒 Security & Identity

• Generic OIDC claim mapping, role-mapping rules, and PKCE — map arbitrary identity-provider claims to Tale roles and use PKCE for the auth-code flow (#1857)
• Passkey admin revocation, configurable 2FA-wall enforcement options, and sign-in audit events (#1859)
• Server-side session idle-timeout enforcement (#1862)
• Knowledge entries are now written through an approval-gated knowledge_write path (#1866)
• Audit-log retention and PII-scrub checkpoints are signed with a new TALE_AUDIT_SIGNING_KEY (HMAC-SHA256), making the audit hash chain tamper-evident; the key supports rotation via TALE_AUDIT_SIGNING_KEY_PREVIOUS (#1879)
• Sensitive form fields are masked in the UI (#1912)
• Ratcheted the dependency CVE gates from CRITICAL down to HIGH (#1856)

💥 Breaking Changes (operator-facing)

• The tale-crawler and tale-rag containers are removed. RAG/knowledge processing now runs inside the Convex backend (node-actions), backed by a new dedicated knowledge-db container (ParadeDB: pg_search + pgvector). A new optional KNOWLEDGE_DATABASE_URL (or KNOWLEDGE_DB_NAME, default tale_knowledge) points at it; it defaults to the bundled knowledge-db service and is split out so it can be relocated for data residency (#1907)
• RAG cross-encoder re-ranking is now API-only. RAG_RERANKING_PROVIDER=local is no longer supported and fails fast — set RAG_RERANKING_PROVIDER=api pointing at an external Cohere/Jina-compatible /rerank endpoint (RAG_RERANKING_API_BASE_URL + RAG_RERANKING_API_KEY) (#1869)
• Metrics endpoints consolidated. /metrics/crawler and /metrics/rag are removed; scrape /metrics/platform instead. Update any Prometheus scrape config that targeted the old paths

🚀 Features

Apps platform

• Config-driven Apps platform: installable packs that bundle app-scoped agents, workflows, and sandbox-agent steps, isolated from the global catalog under a composite <app>/<name> slug (#1911)
• Install/readiness wizard with inline integration-connect, per-agent dependency readiness (managed ↔ BYO), multi-project installs (one app → many projects), and durable task runs (#1927)

The AI Workforce

• Workforce foundations: task operations, an org organigram, and per-agent logs (#1877)
• The AI Workforce — an agent company with Discussions and human controllability over what agents do (#1907)
• Task views split, @-mention descriptions, and per-agent metrics (#1878)

Persistent sandbox agents

• Persistent agent sessions for Claude Code — a durable, resumable sandbox session per (org, user) (#1872)
• Sandbox agents can use any connected org integration, with credentials that never enter the container (#1880)
• Native docker/compose inside a session via configurable runtime tiers (runc/gVisor/sysbox/kata) (#1881)
• Read-only sandbox observability in chat: a live browser view and a workspace file explorer (#1890)
• External-agent BYO credentials plus per-user env vars and secrets (#1892)
• Agent-initiated browser human takeover — an agent can hand the browser to a person (e.g. to solve a CAPTCHA) and resume (#1895)
• Token sources: broker-fetched pools of rotating LLM credentials for BYO agents, with random pick and 401/429/529 failover (#1930)

External-agent chat

• External-agent interactive/autonomous modes with incremental answer streaming (#1900)
• Agent editor: switch an agent between internal/external types, with a folder breadcrumb (#1918)

Automations & workflows

• Step-by-step debug mode for automations (#1871)
• Per-step error feedback in the automation test panel (#1870)

Setup & operations

• Zero-friction setup: guided CLI install, an onboarding wizard, and guided create flows (#1879)
• Pre-migration volume snapshots and a new tale backup command (#1863)
• Adaptive chat reliability and blue-green deploy tiers (#1914)
• Cross-terminal clean-output rework for tale and bun run dev (#1904)

UI & UX

• Settings full-width sweep, banner alerts, and login-UX refresh (#1910)
• Refined settings layouts and onboarding-wizard UX (#1903)
• Interactive PDF links and a branch-aware automation canvas (#1912)
• Settings migrated to a left-rail sidebar across all pages (#1839)
• Model capability details in an info popover (#1885)
• Clearer notifications with locale-safe actor names (#1876)
• Org deletion moved into the settings danger zone (#1891)

⚡ Performance

• Single-source chat timeline with reduced render churn (and a fix for the reaped-turn error) (#1906)
• Cut cross-component round-trips in getOrganizationMember (#1898)
• Provider request-body mapping and max_completion_tokens for reasoning models (#1905)

🐛 Fixes

• Per-project task dedup, stopped-run step settling, and sandbox stream-idle recovery (#1929)
• Surface the raw provider error and stop mislabeling provider param rejections as user errors in chat (#1894)
• Knowledge-db local-dev wiring and pdfjs extraction in the Convex node runtime (#1902)
• Stop a long document name from overflowing adjacent columns (#1901)
• Derive the dev builtin-config catalog from TALE_CONFIG_DIR (#1893)
• Recover stuck websocket auth on cold start and fix skeleton-mask sizing (#1873)
• Gate RAG queueing on a shared indexability allowlist (#1853)
• Route all pdfjs consumers through a shared loader, fixing a DOMMatrix indexing failure during PDF extraction (#1933)

📝 Other

• Switched raw <table> usage to the shared Table component (#1882)
• Added a Playwright E2E suite with a mock LLM and CI workflow (#1860)
• E2E/test tooling, the Opengrep SAST gate, and package cleanup (#1883)
• Weekly model-catalog sync (#1884)
• Rewrote the subprocessor tables for EU/EEA AI processing (#1874)
• Added the /release skill and a Claude Code chat-agent config (#1928)
• Pruned the remaining standalone crawler/rag service references across compose, docs, README, and CI; the sandbox LLM gateway ships as a first-class llm-gateway service (#1931)
• Added a regression test verifying the web client passes the Mozilla Observatory security-headers check (#1932)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

This release contains a multi-step governance data migration and a container topology change — review before deploying:

• Governance policies move from the database to per-org JSON files (3 migration steps). Steps 1–2 are non-destructive (export to files + split staged DSAR changes into a dedicated table). Step 3 drops the legacy governancePolicies rows and is gated behind explicit operator confirmation during tale deploy; it is reversible (each row is snapshotted before deletion). Run it only after verifying the exported governance files look correct.
• Knowledge/RAG topology change. The tale-crawler and tale-rag containers are gone; a new knowledge-db container holds the corpus. See the updated container-architecture and data-residency docs before upgrading a deployment with an existing indexed corpus.
• New audit signing secret. TALE_AUDIT_SIGNING_KEY is auto-generated and written to .env during deploy if missing (the deploy preflight verifies it). Back it up with your other secrets and keep it stable across deploys.
• If you used local RAG re-ranking, switch RAG_RERANKING_PROVIDER to api (see Breaking Changes).
• If you scrape metrics, update any scrape config pointing at /metrics/crawler or /metrics/rag to /metrics/platform.
• The sandbox LLM gateway is now a first-class llm-gateway compose service. Its management-API password (LLM_GATEWAY_ADMIN_PASSWORD) is auto-generated on deploy if missing; set LLM_GATEWAY_ADMIN_USERNAME / LLM_GATEWAY_ADMIN_PASSWORD only to pin your own values.

Contributors

@larryro, @yannickmonney, @AdeolaAdekoya, @Israeltheminer

---

Full Changelog: v0.2.84...v0.2.85

v0.2.84 — Kubernetes sandbox backend, adaptive reasoning, and audit hardening

v0.2.84 — Kubernetes sandbox backend, adaptive reasoning, and audit hardening

This release adds a Kubernetes execution backend for the sandbox alongside the existing Docker path, a major LLM-pipeline upgrade (adaptive reasoning budgets, prompt caching, and a redesigned Auto router), and new knowledge-base workflows in chat. It also hardens audit-log access, clears the transitive HIGH dependency advisory backlog, and makes tale rollback safe by design.

🔒 Security

• Audit-log reads are now restricted to org admins and owners. The public queries listAuditLogs, listAuditLogsPaginated, and getActivitySummary reject non-admin roles, the unused public getResourceAuditTrail query was removed, and the row-level-security matrix drops developer/editor audit-log access to write-only (#1852)
• Cleared the transitive HIGH dependency advisory backlog: picomatch ReDoS (GHSA-c2c7-rcm5-vvqj), lodash _.template code injection (GHSA-r5fr-rjxr-66jc, overridden to 4.18.1), and the tar path-traversal advisory family via removal of an orphaned canvas lockfile entry (#1854)

🤖 Model & Provider

• Adaptive reasoning governor: thinking budgets now adapt per (model, agent type) profile with self-calibrating difficulty thresholds. Output truncation no longer counts as thinking starvation, and wasteful reasoning (high thinking, tiny answer) trims the budget (#1838)
• The Auto router is now a config-defined agent backed by a fast classifier model, replacing the hardcoded lexical heuristics. Routing decisions are cached, and models with missing keys or broken configuration are skipped at resolution time instead of producing a doomed request (#1838)
• Updated OpenRouter provider catalog and a new coder example agent for fresh deployments (#1838)

💥 Breaking Changes

• tale rollback no longer accepts an arbitrary -v/--version flag. The only valid target is the recorded previous version, and only when it shares major.minor with the running platform (patch-only rollback). On refusal the command prints the snapshot-restore runbook instead of proceeding. Update any operator scripts that pass --version (#1861)

🚀 Features

• The sandbox service can now run on Kubernetes: SANDBOX_BACKEND=docker|kubernetes selects between the unchanged Docker Compose backend (still the default) and a new exec-free Pod-per-exec Kubernetes backend that needs no docker.sock or host-path workspace (#1841)
• @-mention knowledge-base documents in chat: an anchored picker in the composer pins up to 5 indexed documents to a turn, scoping that turn's retrieval to exactly those documents (#1864)
• Folder-scoped RAG search: retrieval can be limited to a single Document Hub folder and all of its subfolders (#1865)
• Live per-node execution status on the workflow canvas, driven by a single reactive query (#1868)
• New integration_processing_records workflow action for incremental, deduplicated processing of external SQL/REST integration data, with four incremental strategies (#1858)

⚡ Performance

• Generic prompt caching with per-model strategies (explicit cache breakpoints for Anthropic/Gemini via OpenRouter, deterministic cache keys for OpenAI/DeepSeek) plus cache pre-warming on composer focus, reducing latency and cost on repeat prompts (#1838)

🛠 Improvements

• Smoother streamed-text rendering: chat responses now reveal at clause boundaries instead of raw token chunks (#1838)

🐛 Fixes

• Workflow execution step journals rendered empty for roughly 75% of runs due to a component shard-routing bug; journal loads now resolve the execution's actual shard (#1868)
• Inline chat token count now shows output tokens instead of input/total (#1838)

📝 Other

• RAG indexing status is consolidated onto fileMetadata.ragStatus as the single source of truth inside Convex; documents.ragInfo and documents.indexed are deprecated but remain readable for existing rows (#1840)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required. During tale deploy you will be prompted to confirm two automatic data backfills (RAG status consolidation and folder-path indexing); the RAG database schema migration applies automatically when the database container starts.

Contributors

@larryro, @yannickmonney

---

Full Changelog: v0.2.83...v0.2.84

v0.2.83 — Reasoning latency metrics and a leaner chat path

v0.2.83 — Reasoning latency metrics and a leaner chat path

This release adds reasoning-aware time-to-first-token metrics, so you can see what you actually wait for on a reasoning model — the "thinking" stream that starts before the first answer token — plus a send-relative breakdown that exposes the backend "setup before model" overhead the old action-relative metric missed. It then cuts that overhead with a consolidated governance round-trip and pre-stream parallelization, enforces role-scoped feature flags in chat, and records usage, audit, and metrics for content-policy-blocked turns.

🔒 Security

• Role-scoped feature flags are now enforced in chat. The resolver was invoked without the user's role, so scope: 'role' rules silently never matched even though the UI reported them active. The role already resolved for the budget check is threaded through, so role-targeted flags apply consistently on the backend. (#1837)

🚀 Features

• Reasoning-aware time-to-first-token metrics: the message info dialog now shows "Time to first reasoning" — the wait until a reasoning model's thinking starts streaming, which happens before the first answer token — and a send-relative "Setup before model" breakdown that captures the backend pre-stream hops the previous action-relative metric never measured. New optional timeToFirstReasoningMs and timeFromSendMs message-metadata fields back the dialog. Includes a dev/admin-gated "direct TTFT" probe that streams straight to the model — bypassing the persistence/delta/scheduler layers — so a developer can compare the pipeline against the model's own floor. (#1837)

⚡ Performance

• Faster chat "Setup before model" wait: the per-turn governance reads (default-model override, accessible-model filter, model-access check, plus org membership and team IDs) are folded into a single resolveGenerationGovernance round-trip, and the pre-resolved role/team context is threaded through the generation path so startChat and budget enforcement skip duplicate Better Auth lookups. Two cross-component getThread calls are replaced with a direct metadata read. Warm pinned-model path: startChat ~300ms → ~90–200ms; "Setup before model" ~404ms → ~265–290ms. (#1837)
• Pre-stream parallelization: the per-turn skill snapshot is cached in-process (mtime-validated) instead of rebuilt every send via nested node-action round-trips and disk reads, the budget check and feature-flag resolution now run concurrently, and generation is dispatched via an awaited runAction so it can start on a free event-loop tick. (#1837)

🐛 Fixes

• Content-policy ("guardrails") blocks now record a usage-ledger row, an AI audit entry, and timing metrics. The block sites returned early without running onAgentComplete, so a block consumed provider tokens but left no usage, audit, or metric trace. (#1837)
• Overlapping sends no longer double-generate and double-bill: a new send (multi-tab, API, or cancel-then-resend) now cancels the in-flight turn before starting a new one. (#1837)
• Restored the arena first-message branch link, which a content-policy/scheduler split had caused to be created before the user message was saved (dropping the A↔B link). It's now created after the message commits, best-effort. (#1837)
• Restored synchronous PROJECT_MISMATCH detection after generation moved async, mapped all PROJECT_* codes to their localized toast, and wrapped the model-denied audit write so an audit failure can't swallow the user notice. (#1837)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required. The two new message-metadata fields (timeToFirstReasoningMs, timeFromSendMs) are optional and apply automatically on deploy; rows written before this release simply omit them. The dev-only direct-TTFT probe reuses the existing TALE_DEPLOYMENT_CONFIG_ADMINS allowlist (empty/unset = nobody, fail-safe) — no new environment variable is needed.

Contributors

@larryro

---

Full Changelog: v0.2.82...v0.2.83

v0.2.82

v0.2.82 — Data residency, passkeys, and Auto routing

This release adds deployment-level data residency for self-hosted instances (external knowledge Postgres, app Postgres, and S3 file storage), WebAuthn/passkeys with 2FA enforcement, and an "Auto" agent mode that routes each message to the right agent server-side. It also lands a broad performance pass across dashboard navigation, chat/org switching, and Convex per-request auth cost, plus org-configurable session idle timeout, out-of-band audit-integrity alerts, dependency CVE patches, and a large batch of table and chat UI polish.

🔒 Security

• WebAuthn / passkeys: enroll, sign in, and revoke passkeys from account settings, with register/revoke audit entries. A registered passkey satisfies an enforced two_factor_policy alongside TOTP, so passkey-only users are never bounced to the TOTP wall. (#1822)
• Org-configurable session idle timeout: admins can set the inactivity window from Settings → Security. The deployment-wide SESSION_IDLE_TIMEOUT_MINUTES stays the server-side hard cap — an org may only tighten it, never extend past it — and drives the client idle watchdog. (#1819)
• Out-of-band alerting on audit-log integrity failure: the nightly hash-chain/checkpoint verification now raises a critical security notification (in-app bell + Slack fan-out) to org admins on any chain break, truncation, or checkpoint mismatch, not just an in-band audit row. (#1820)
• Env-var source for provider API keys: a provider or model may set a secretsEnv field in its public <provider>.json to source the key from an environment variable, for operators whose secrets live in Kubernetes Secrets / Vault / cloud secret managers. The env-var name must use the reserved TALE_PROVIDER_KEY_ prefix and is fail-closed — unset, empty, or non-prefixed names fall back to the existing file key, so file-only deployments are unchanged. (#1711, #1832)
• Failed-login lockout advisory: a failed credential attempt now shows a calm advisory that repeated failures temporarily lock the account. Deliberately not a per-attempt counter, which would reintroduce account enumeration and hand attackers a brute-force budget. (#1811)
• Dependency security patches: hono 4.12.21 (mount-prefix advisory, #1830) and the vitest toolchain 4.1.8 (clears the critical otelCarrier advisory GHSA-2h32-95rg-cppp, #1823). Recorded accept-risk CVE suppressions and documented the security-update flow ahead of ratcheting the CVE gate. (#1821)

🤖 Model & Provider

• "Auto" agent mode: when no assistant is pinned, the composer sends an auto sentinel and the server resolves it to a concrete agent before generation, so the thread commits the real agent from the first frame. Routing uses a cheapest-first ladder (≤1 candidate or trivial greeting → no LLM call; otherwise one timeout-raced classifier call that degrades to the default agent on timeout or failure, never blocking first-token latency). Agents now also support ordered multi-model selection — the first model is the default, the rest are fallbacks. (#1829)

🚀 Features

• Deployment-level data residency: a flag-gated admin UI (Settings → Data residency) points a self-hosted deployment's knowledge Postgres, app Postgres, and Convex file storage at customer-controlled infrastructure. Config is a deployment-scoped deployment.json (+ SOPS secrets), consumed by the rag and convex entrypoints at boot and fail-closed; absent config keeps today's defaults. Includes per-section connection testing and an opt-in controller sidecar for one-click "Apply & restart". Writes are gated by org owner/admin plus the TALE_DEPLOYMENT_CONFIG_UI flag. (#1827)
• Automation tester result feedback: the test panel now subscribes to the run it started and shows live status — running (with the current step), completed, or failed (with the failing step name and error) — instead of only toasting "execution started". (#1817)

⚡ Performance

• Near-instant warm dashboard page transitions: fixed route-loader prefetches that never matched the table's actual usePaginatedQuery subscription, so navigating between list pages no longer flashes a skeleton. (#1833)
• Reduced Convex per-request auth + query cost: request-scoped memoization resolves {user, orgs, teams} once per request instead of repeating cross-component Better Auth calls on the hot path (amplified ~5–10× on self-hosted), plus a set of query/frontend cleanups. Behavior-preserving. (#1831)
• Faster chat switch, org switch, and setting toggles: consolidated four per-thread queries into one getThreadMeta behind a single access check, de-waterfalled org switching, fixed N+1/unindexed queries, and added optimistic updates to toggles. (#1825)
• Gated cold-load queries on auth via an account bootstrap, so unauthenticated cold loads stop firing data queries.

🛠 Improvements

• Split People settings into dedicated Organization and Teams destinations: Members now live under Organization (prefetched in the route loader), Teams get their own /settings/teams route, and /settings/people redirects so existing links keep working. (#1836)
• Shared DataTable polish: fixed-width select-checkbox and row-actions columns align across every table, consistent row height, and skeletons that match the real table layout. (#1835)
• Raised form-label contrast to text-foreground at the shared-component level (a11y), polished the filter popover and read-only email surfaces, and refreshed the feature-chat marketing image. (#1834)
• Polished the list header, mobile header, chat toolbar, loading skeletons, and tab navigation. (#1824)

🐛 Fixes

• Made chat auto-scroll instant so sending a message no longer stalls part-way up the thread. (#1826)
• Preserve reasoning and tool parts when branching an edited chat, and keep chat markdown headings plain (no doc-style anchors).
• Keep one-off translation requests in the reply language. (#1813)
• Highlight a duplicated agent as a new row. (#1812)
• Keep tooltips clear of viewport edges and controls. (#1814)
• Fixed Vite dep-optimizer 404s and tab-underline alignment. (#1828)
• Made the read-aloud toggle available on a new chat.
• Aligned the provider-details, add-provider, provider-options, and erasure-request drawers with the shared settings-UI chrome.
• Relaxed the platform health-check interval to cut boot noise. (proxy, #1815)
• A batch of skeleton, mobile-header, table min-width, automation-centering, and retention-timeline mobile-width fixes.

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — all schema changes this release are additive (new optional fields, new indexes, and a new session_idle_timeout governance policy) and apply automatically on deploy. Three new capabilities are opt-in and leave existing behavior unchanged:

• Data residency — set TALE_DEPLOYMENT_CONFIG_UI to expose the write UI, and optionally set CONTROLLER_TOKEN to enable the controller sidecar for one-click "Apply & restart" (otherwise apply with docker compose restart rag convex). An external knowledge DB must run ParadeDB (pgvector + pg_search) or hybrid search degrades to vector-only; switching local → S3 file storage is greenfield and does not migrate existing blobs.
• Env-sourced provider keys — add a secretsEnv field to a provider/model in <provider>.json pointing at an env var named with the reserved TALE_PROVIDER_KEY_ prefix. Leave it unset to keep using file-based keys.

Contributors

@yannickmonney, @larryro, @Israeltheminer, @AdeolaAdekoya, plus dependency security updates via Renovate.

---

Full Changelog: v0.2.81...v0.2.82

v0.2.81 — Tasks, collaboration, and session security

v0.2.81 — Tasks, collaboration, and session security

This release adds a task platform with a collaborative inbox and project-scoped secrets, plus Slack and Confluence integrations and a generic OIDC SSO adapter. It hardens sessions with optional server-side idle timeout and adds daily audit-log integrity verification, alongside dependency CVE patches and a large batch of UI and import fixes.

🔒 Security

• Server-side session idle timeout: set the optional SESSION_IDLE_TIMEOUT_MINUTES (1–1440) to sign a session out after inactivity. The window slides on activity and is enforced server-side across email/password, SSO, and trusted-headers sessions; the client also warns and signs out idle sessions. Unset by default, so existing behavior is unchanged. (#1808, #1810)
• Daily audit-log integrity check: the hash-chain + checkpoint verification that previously ran only on demand now runs daily across every org and raises a security-category audit row plus a structured alert on any chain break, truncation, checkpoint mismatch, or unsigned PII scrub. (#1805)
• Force re-authentication after a voluntary password change so prior sessions can't continue. (#1769)
• Block CI on high/critical CVEs and fast-track Renovate security updates (supply-chain hardening). (#1784)
• Dependency security patches: axios 1.16.0 (#1788), python-multipart 0.0.27 (#1787), brace-expansion 5.0.6 (#1785), turbo 2.9.14 (#1786).

🤖 Model & Provider

• Centralize AI reply-language behind a shared priority chain (explicit request → message language → browser-locale fallback) and remove the per-agent language block from all shipped agents, so reply-language resolves consistently across agents. (#1795)

🚀 Features

• Task platform with a collaborative inbox: tasks, comments, activity, dependencies, and board views, with project-scoped secrets, per-agent secret access, and user notifications/subscriptions. (#1761)
• Slack integration: inbound bot (app mentions and DMs) and outbound workflow/security notifications, via a bring-your-own Slack app installed by manifest + OAuth. (#1762)
• Confluence Cloud read-only sync integration. (#1807)
• Generic OIDC identity-provider adapter for SSO. (#1809)
• Upload product images during product create/edit. (#1797)

🛠 Improvements

• Consolidate API settings into a single page and refine the navigation chrome and account menu. (#1806)
• Assign documents and folders to multiple teams. (#1773)
• Default to the team context in the prompt library's Team tab. (#1798)
• Show price, category, and status in the product list. (#1767)
• Show tags and assigned team on prompt list rows. (#1777)
• Paginate the organization members table. (#1796)
• Clarify upload-success vs. background-indexing copy, and hide masked content behind a skeleton while loading. (#1778, #1779)

🐛 Fixes

• Ignore a spurious empty Radix Select change that falsely dirtied org settings. (#1816)
• Accept uiLanguage in the shared userContext validator. (#1802)
• Gate the DB healthcheck on an init-completion marker. (#1801)
• Make form-field borders visible in light mode, and cap the select dropdown height to the viewport. (#1800, #1799)
• Validate required columns on product CSV import, and harden customer/vendor import against silent data loss. (#1793, #1766)
• Gate the automation tester on input validation, and add a timeout to the MCP server connection test. (#1792, #1790)
• Lock upload team selection to the folder's team. (#1776)
• Gate create-dialog submit buttons on form validity. (#1765)
• Surface the missing-password error on the add-member form. (#1768)
• Reject conflicting allow/block extensions in the upload policy. (#1770)
• Use sensible thread titles for attachment-only chats, and stop dictation when a chat message is sent. (#1771, #1772)
• Label custom condition branches in the automation flow. (#1774)
• Right-align the team row action menu. (#1794)
• Comment cascade, screenshot, notification skeleton, and label fixes. (#1763)

📝 Other

• Document PII at-rest posture (Option B). (#1804)
• Cryptography reference aligned with BSI TR-02102-1. (#1780)
• Worked examples: Prometheus + Grafana, audit-log export, and modular AI-directed test guides per feature module. (#1781, #1782, #1783)
• Private-host provider policy + OAuth2 callback URL docs, and fix the OpenAI-compatible endpoint path. (#1775, #1764)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — new tables and the daily audit-log integrity check apply automatically on deploy. Optionally, set SESSION_IDLE_TIMEOUT_MINUTES (1–1440) to enable server-side idle sign-out; leave it unset to keep the current session lifetime.

Contributors

@yannickmonney, @larryro, @Israeltheminer, plus dependency security updates via Renovate.

---

Full Changelog: v0.2.80...v0.2.81

v0.2.80

v0.2.80 — Hardened org-first config migration

This release hardens the org-first config-layout migration introduced in earlier versions. The Convex entrypoint now self-heals provider secrets that an interrupted upgrade left behind at legacy paths, and the CLI resolves project context before any irreversible directory renames so a migration can no longer be left half-finished. It also fixes an infinite render loop in the governance editors plus minor chat and settings UI polish.

🐛 Fixes

• Recover provider API-key secrets stranded by an interrupted org-first migration: the Convex entrypoint now self-heals legacy-path *.secrets.json into the org-first layout on every boot. It is idempotent, never clobbers a secret the UI already wrote to the new path, copies (not moves) so the legacy files remain as rollback insurance, and validates the org slug before migrating per-org secrets. This fixes spurious "No API key configured" errors on deployments whose host directories were migrated but whose container secrets were not. (#1760)
• Resolve the project ID before any irreversible host-directory renames in tale start and tale update: a missing project context now fails fast instead of leaving a project half-migrated (host moved, container not). (#1760)
• Stop an infinite re-render loop in the Budget and Default Model governance editors by memoizing on the policy config value rather than the query wrapper object. (#1760)
• Fix the chat welcome view centering. (#1760)

🛠 Improvements

• Show a loading skeleton for the retention policy timeline while it loads. (#1760)

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

No manual migration is required — the provider-secret self-heal runs automatically on boot. Operators still on the legacy flat layout with custom non-secret edits may optionally run tale deploy --override-all -y to migrate host-side config, then tale migrate config-layout --cleanup-old once they've verified health.

Contributors

@larryro

---

Full Changelog: v0.2.79...v0.2.80

v0.2.79

v0.2.79 — WebDAV document mounts, unified search, and org-isolation hardening

This release adds WebDAV support to mount an organization's documents as a network drive, a unified search palette shared across the platform and docs, and a fully recursive Google Drive sync with delete/rename reconciliation. It also hardens multi-org isolation in the RAG service with shared-secret authentication and per-org data scoping, and refactors the on-disk config into a uniform org-first layout that is auto-migrated during tale upgrade.

🔒 Security

• Hardened the RAG service for multi-org deployments (#1752):
  • Shared-secret authentication — the RAG service now accepts an Authorization: Bearer token (RAG_AUTH_TOKEN) with a constant-time compare, defending against lateral access on the internal Docker network. Auth is presence-based: when the token is unset the service stays open and logs a loud [SECURITY] warning on every boot.
  • Per-org data isolation — every protected endpoint now requires an X-Tale-Org header, and the data layer enforces org_slug on documents, chunks, and the semantic cache (with a cross-table foreign key). Two orgs with semantically identical queries can no longer pull each other's cached responses via embedding similarity. The schema migration runs automatically and idempotently at RAG startup.

💥 Breaking Changes

• Uniform org-first config layout (#1752): the config tree is now <root>/<org>/<domain>/... for every org, including default. tale upgrade and tale start auto-detect the legacy flat layout (agents/, workflows/, … at the project root) and migrate it in place after an interactive confirm. See the Migration Guide below.
• Per-domain config env overrides removed (#1752): AGENTS_DIR, WORKFLOWS_DIR, PROVIDERS_DIR, INTEGRATIONS_DIR, and SKILLS_DIR are no longer honored — the platform strips them from the Convex deployment env on every boot. Operators with custom paths must set a single TALE_CONFIG_DIR root and place files under <org>/<domain>/.

🚀 Features

• WebDAV server (#1757): mount an organization's documents as a network drive from Finder, Windows File Explorer, iOS Files, or rclone via a read-write WebDAV Class 2 endpoint at /dav/<orgSlug>/. Per-user app-passwords are managed under Settings → WebDAV; uploads land in the Document Hub and flow through the existing RAG indexing pipeline, with .trash soft-delete and lock support. The HMAC key auto-derives from the deployment's instance secret, so no extra configuration is required.
• Unified search palette (#1758): one shared command palette across the platform and the docs site, backed by a new backend entity-search seam with org-scoped relevance ranking (exact → prefix → substring, then newest). Ships alongside an optimistic-update data layer that makes list edits and deletes feel instant.
• Recursive Google Drive sync (#1756): the Google Drive integration now mirrors nested folder hierarchies, reconciles deletes (removing synced docs + their RAG entries when they vanish from Drive), and detects renames and cross-folder moves without re-downloading. Includes data-loss safety hardening (truncation guard skips reconcile, atomic upserts, cross-sync isolation).
• Recover failed audio transcriptions (#1753): failed dictation and audio-upload transcriptions can now be retried from the UI without re-recording or re-uploading — the recording is retained and re-sent on retry.
• Install the PWA from iOS (#1744): the "Get app" menu entry now appears on iOS Safari and opens an illustrated "Add to Home Screen" sheet, instead of being hidden on browsers that don't fire the native install prompt.

🛠 Improvements

• Mobile navigation overhaul (#1759): a five-slot bottom nav with a featured Chat tab and a "More" overflow sheet, a back button on dashboard sub-pages, and safe-area polish so installed PWAs draw correctly down to the home indicator.
• Settings & notifications polish (#1754): Cancel/Discard buttons on settings pages, the notification bell moved to a standalone sidebar popover, entity-named row counts across data tables ("Showing all 7 agents"), and assorted dropdown/menu refinements.
• Icon-only toolbar buttons on mobile (#1747): a shared opt-in collapses button labels to icons below the sm breakpoint (keeping accessible names), applied across Save/Discard clusters and editor toolbars to stop button bars from crowding.
• Redesigned maintenance screen (#1743): the proxy maintenance/update page now matches the offline screen's design system (design tokens, light/dark, reduced-motion support).
• Calmer overlays (#1750): removed the zoom-scale entrance from popovers, dropdowns, menus, selects, and dialogs — they now animate with fade + slide only.

🐛 Fixes

• Document search covers all pages (#1745): searching or filtering the documents table now eagerly loads the remaining pages, so matches outside the first 20 rows are found instead of reading as "no results."
• New orgs seed from the builtin catalog (#1751): scaffolding a new org no longer copies the default org's writable workspace, so scratch agents and test workflows stop leaking into new orgs as templates.
• Mobile settings Save/Discard (#1749): the Save/Discard cluster is now visible on small screens via a mobile-only action bar, and the duplicate "unsaved changes" prompt on discard-and-leave is fixed.
• Mobile top-bar and bottom spacing (#1746): top-bar controls no longer collide with the iOS status bar / Dynamic Island, and the empty band below the bottom nav (a double-counted safe-area inset) is gone.

📝 Other

• Added WebDAV usage and API documentation in en/de/fr (#1757).
• Pointed the subprocessors DPA links to the canonical web URL, fixing the docs link-check CI (#1748).

Upgrade

Run tale upgrade to update the CLI, then tale deploy to apply the new version.

Migration Guide

This release requires attention for two changes. The RAG schema migration and the container-side config migration are handled automatically; the host-side config-layout move is prompted during tale upgrade.

1. Config layout is migrated automatically (one-time).
The config tree is now uniformly org-first (<root>/<org>/<domain>/...). When you run tale upgrade (or tale start), it detects the legacy flat layout and prompts you to migrate it in place (default No — answer Yes). The move is rollback-insured: container-side providers/secrets are copied, not moved, and cleaned up later.

• CI / non-TTY: tale upgrade has no --yes flag and will abort on a legacy layout rather than migrate silently. Migrate explicitly with tale start --yes (dev) or tale deploy --override-all -y (prod).
• After the new deployment is healthy, you can optionally reclaim the rollback copies (sha-verified before removal):

  tale migrate config-layout --cleanup-old

2. Replace per-domain config env overrides (only if you use them).
AGENTS_DIR, WORKFLOWS_DIR, PROVIDERS_DIR, INTEGRATIONS_DIR, and SKILLS_DIR are no longer honored. If you relied on them, set a single root instead and lay files out per org:

# Before: AGENTS_DIR=/custom/agents WORKFLOWS_DIR=/custom/workflows ...
# After:
TALE_CONFIG_DIR=/custom/config   # then place files under <org>/<domain>/, e.g. default/agents/, default/workflows/

3. (Recommended) Enable RAG service authentication.
The RAG service now supports shared-secret Bearer auth, but stays open (with a loud [SECURITY] log warning each boot) until you set it. To enable it, set the same token on both the platform and RAG containers:

# Generate once, then set the SAME value on both containers' env:
RAG_AUTH_TOKEN=$(openssl rand -hex 32)

Per-org RAG data isolation (the org_slug schema migration and semantic-cache scoping) applies automatically — no manual database step is required.

Contributors

@yannickmonney, @larryro, @Israeltheminer, @AdeolaAdekoya

---

Full Changelog: v0.2.78...v0.2.79