v1.8.0
Powered by

Changelog

Release notes for all Weavestream versions.

All notable changes to Weavestream are documented here. The format follows Keep a Changelog and this project adheres to Semantic Versioning.

Unreleased

[1.8.0] - 2026-05-12

Added

  • AI chat. A new AI chat panel is available on every company page (toggle in the sidebar). Conversations are persisted as chat history. The AI is powered by any OpenAI-compatible LLM — configure the endpoint, model, and API key under Admin → Settings → AI. Chat supports multi-turn conversations with full history review and the ability to start fresh conversations at any time.

  • Chat context — articles & assets. Attach articles and assets to a chat conversation via @-mention. The currently viewed asset or article is automatically attached to the chat context when the panel is opened. Attached items appear in a context strip above the input field. A collapsible folder navigation panel inside chat lets you browse and attach items without leaving the conversation.

  • AI article editing. The AI can read and edit articles on your behalf via tool calls. When viewing an article, the AI has write access to the open document — accepted edits are applied directly. Chat responses can also be saved as new articles via a "Save as article" action.

  • Passwords in Expirations. Password expiry dates now surface alongside certificates and assets in the Expirations view, so upcoming credential renewals appear in the same dashboard as other lifecycle events.

  • Password folder rename & archive. Password folders can be renamed and archived from a new folder settings dialog, keeping the credential vault tidy as structures evolve.

  • Password linking. Passwords can be linked to articles and assets using the existing relations system. Linked items and file attachments are accessible directly from the password detail panel — consistent with how assets and articles handle relations.

  • Redesigned password dialog. The create / edit password dialog has been refreshed: tags are now managed with an inline tag-input chip component, the URL field has moved below the password field, and the overall layout is more consistent with asset and article forms.

  • .pem file uploads. .pem certificate files can now be attached as file uploads, extending the .key support shipped in 1.7.1.

Security

  • crypto.getRandomValues replaces Math.random. All internal ID / token generation now uses the cryptographically-secure crypto.getRandomValues API instead of Math.random.

Fixed

  • Fixed a bug where creating a new article via chat could fail due to an incorrect regular expression.
  • Fixed a remote property injection bug in the assets controller.

1.7.1 - 2026-05-08

Added

  • NinjaOne agent / non-agent split. The NinjaOne integration now exposes two independent resources: Agent devices (workstations and servers running the NinjaOne agent) and Network & non-agent devices (NMS-discovered switches / firewalls / printers, plus VMware / Hyper-V / Xen guest VMs and hypervisor management nodes). Each resource projects onto its own asset layout, has its own match key, and runs as a separate sync job — so MSPs can keep agented endpoints in their primary computers layout while routing SNMP gear and virtual machines into a dedicated network or VM layout, or skip the non-agent devices entirely. The new resource is optional and disabled until an operator picks a layout and configures field mappings. Default match-key suggestion changed from systemName to uid (NinjaOne's stable GUID) on both resources to avoid the IP / hostname churn issues that plagued IP-keyed mappings.
  • .key file uploads. Plain-text key files (PEM, SSH, certificate keys) can now be attached as file uploads alongside the existing image / document / archive / script / config types.

1.7.0 - 2026-05-07

Added

  • NinjaOne RMM integration. New integration driver for syncing managed devices from NinjaOne organisations into Weavestream asset records, joining the existing Action1, UniFi, and Cloudflare drivers under Admin → Integrations. Authentication is OAuth2 client_credentials with the monitoring scope; the regional API base URL is configurable for US / EU / CA / OC tenants. Each NinjaOne organisation maps to a single Weavestream company, with an optional per-mapping location-ID filter.
  • Rich NinjaOne field catalogue. The driver flattens the /v2/devices-detailed payload — os, system, memory, processors[0], volumes[0], references.* (organisation, location, role, policy, role-policy, warranty, assigned owner) and maintenance subtrees — onto roughly seventy mappable top-level fields covering identity, OS, make / model / serial / BIOS, processor, memory, volumes, network, warranty, owner, role, policy, location, lifecycle, and maintenance state.
  • Human-readable variants for byte and clock-speed fields. memoryCapacityHuman, systemTotalPhysicalMemoryHuman, firstVolumeCapacityHuman, firstVolumeFreeSpaceHuman, processorClockSpeedHuman, processorMaxClockSpeedHuman render alongside the raw numeric fields, formatted like 127.5 GB / 4.4 TB / 2.10 GHz for direct mapping onto TEXT and rich-text AssetFields.
  • Multi-line volumesSummary. TEXTAREA-typed field that renders every volume on the device as one line each — <name>[ <label>] — <capacity> total, <freeSpace> free (<filesystem>) — for asset layouts with a single storage textarea slot.
  • Primary IP and MAC derivation. primaryIpAddress (IP_ADDRESS) and primaryMacAddress (TEXT) are derived from NinjaOne's array-valued ipAddresses / macAddresses so single-value asset fields can be mapped directly. The IP heuristic splits the IPv6 GUA + link-local pairs NinjaOne packs into one slot, then prefers non-link-local IPv4, falling back to non-link-local IPv6 and finally the first entry.

Documentation

  • Integrations page refreshed to include the new NinjaOne section alongside Action1, UniFi, and Cloudflare, with a category-grouped list of synced data and a step-by-step setup walk-through.

1.6.4 - 2026-05-06

Added

  • Cloudflare integration. New integration driver for updating Cloudflare Zero Trust IP lists. Manage Cloudflare Zero Trust IP lists directly from Weavestream via API token authentication. Managed under Admin → Integrations alongside existing Action1 and UniFi connectors.

1.6.3 - 2026-05-03

Added

  • Password list columns. Toggle to show or hide strength and visibility columns on password tables.
  • UniFi clients. UniFi integration now includes client devices alongside existing synced data.
  • Bulk asset actions. Bulk archive, delete, and restore from all-assets views.
  • Company sticky note. Per-company sticky note in the admin company shell for quick operator notes.

1.6.2 - 2026-05-01

Changed

  • Backup job reliability tweaks. Scheduled and manual Postgres export jobs now handle edge cases more consistently across retention, history, and download workflows.

Fixed

  • Vault PDF exports. Fixed PDF generation issues in vault exports that could produce broken or incomplete documents.
  • Password detail mobile layout. Fixed mobile rendering of password detail views so content and actions remain readable on narrow screens.

1.6.0 - 2026-05-01

Added

  • In-app scheduled Postgres exports. Operators with the new BACKUP_MANAGE capability (or SUPER_ADMIN) can configure cron schedules under Admin → Backups that produce pg_dump --format=custom files plus a manifest.json sidecar in a new bind-mounted host directory (${DATA_DIR}/backup). Schedules carry a timezone, GFS retention ({ daily, weekly, monthly }), and optional notification recipients (failures always email; successes are opt-in). Manual "Run now" attempts are polled to terminal status in the History tab; successful runs surface a download button that streams the dump back through the API. Concurrency is guarded by a Postgres advisory lock around the whole job. The worker image now ships postgresql16-client so pg_dump is available without sidecars.

Documentation

  • Backup & Restore guide refreshed to cover the new in-app scheduled exports, the off-host sync of ${DATA_DIR}/backup and ${DATA_DIR}/files, and a step-by-step pg_restore recovery on a fresh Docker host. The authentication page now flags that vault decryption requires the matching .env keys at restore time.

1.5.6 - 2026-04-30

Changed

  • MinIO replaced with native local filesystem storage. The minio container is gone. The api and worker now share a host-bind-mounted directory (${DATA_DIR}/files, surfaced inside the containers as ${FILE_STORAGE_DIR}, default /var/lib/weavestream/files) and write atomically via tmp+rename. Per-tenant isolation is by directory (${FILE_STORAGE_DIR}/<companyId>/...); browsers continue to read every file through the API's same-origin streaming endpoints, so there is still no public file surface. The AWS S3 SDK is no longer a runtime dependency.

Removed

  • MinIO service from compose.yml, the compose.console.yml overlay, and the minio: block in compose.build.yml.
  • All MINIO_* env vars (MINIO_ENDPOINT, MINIO_PORT, MINIO_USE_SSL, MINIO_REGION, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_BUCKET_PREFIX, MINIO_PUBLIC_URL, NEXT_PUBLIC_MINIO_ORIGINS).
  • AWS S3 SDK runtime dependencies (@aws-sdk/client-s3, @aws-sdk/s3-request-presigner).

1.5.5 - 2026-04-30

Changed

  • MinIO configuration simplified. The upload client now fetches MinIO config directly from the API, removing the need for a reverse proxy setup.

Fixed

  • Miscellaneous bug fixes.

1.5.4 - 2026-04-30

Security

  • Audit log is now append-only at the database layer. A new Postgres trigger blocks any UPDATE or DELETE against audit_log with the error audit_log is append-only, raising tamper-resistance from an application convention to a database invariant. INSERT is the only legal write, and pg_dump / pg_restore are unaffected. Operators who genuinely need to rewrite audit rows (for example to anonymise a dump) can disable the trigger as the table owner; see the INSTALL guide.
  • Containers can no longer escalate privileges at runtime. Every service in compose.yml (postgres, redis, minio, api, worker, web) now boots with no-new-privileges:true, so a process inside the container can't gain new Linux capabilities via a setuid binary even if a vulnerability lets it execute one. Transparent for operators — no .env or workflow changes required.
  • MinIO image pinned to a specific release. compose.yml now references minio/minio:RELEASE.2025-09-07T16-13-09Z instead of :latest. This is the same image :latest resolves to today, so existing deployments are neither upgraded nor downgraded — but future :latest drift can no longer silently change the image under a running install. Upstream archived the public minio/minio Docker repository, so a deliberate migration to a maintained successor is tracked as its own future release.

1.5.3 - 2026-04-29

Added

  • MFA backup codes. Completing MFA enrollment now issues one-time recovery codes that users can save, copy, and use on the MFA challenge if their authenticator is unavailable. Codes are hashed at rest, consumed atomically, deleted when MFA is reset, and can be regenerated from the profile page. Operators also get reset-mfa <email> in the CLI to clear MFA, backup codes, and active sessions for account recovery.

Changed

  • Uploads relayed through the API. Browsers no longer PUT directly to MinIO; the init endpoint now returns a same-origin relay URL (/api/v1/companies/:id/uploads/:uploadId/blob) and the API streams the body to the internal bucket. Embedded article images served via /uploads/:id/image are likewise streamed back through the API instead of 302-redirecting to a presigned S3 URL. This keeps MinIO fully reachable only over the Docker network (matching the v1.5.2 loopback-by-default MINIO_HOST_BIND) and removes the need to put a reverse proxy in front of the bucket endpoint just so a browser can upload a logo or paste an image into the rich-text editor.

Security

  • MFA reset hardening. Admin-triggered MFA resets now require a recent actor sign-in, clear stored backup codes, and revoke the target user's active sessions.

1.5.2 - 2026-04-29

Added

  • Admin Security Center (read-only). New /admin/security page surfaces login activity (success / password failure / MFA failure aggregates by IP and email over a configurable 1h-7d window), active account lockouts read from the lockout service's Redis counters, active rate-limit blocks, and every non-revoked session across users with MFA / role / IP / UA metadata. SUPER_ADMIN sees everything; OPERATORs need the new SECURITY_READ platform capability (added to MANAGER_PRESET). Revoking another user's session from this page additionally requires USER_MANAGE and writes a security.session.revoke audit row tagged with the target user. Backed by apps/api/src/security/.
  • IP allow/deny rules. New /admin/ip-rules page lets admins with IP_RULE_MANAGE capability create global IP-based access rules. Rules support single IPv4 addresses (192.168.1.1) or CIDR ranges (10.0.0.0/8) with ALLOW or DENY actions. Rules are evaluated in priority order (lowest first) by IpRuleGuard, which runs before AuthGuard on every request. First match wins; if no rules match, access is allowed (default-allow policy). All rule changes are audited (security.ip_rule.{create,update,delete}). The new IP_RULE_MANAGE capability is added to MANAGER_PRESET.
  • Egress / SSRF guard. Every server-side outbound HTTP call (Action1 + UniFi integration drivers, RDAP / IANA bootstrap, WEBSITE_DOWN HTTP probes, HIBP password-leak check) now flows through a new safeFetch helper that resolves the target hostname and refuses to dial loopback, RFC1918, link-local, multicast, or cloud-metadata (169.254.169.254) addresses. Operators can punch holes for legit on-prem RMM endpoints via EGRESS_ALLOWED_PRIVATE_CIDRS=10.42.0.0/16, or short-circuit the entire guard for lab installs with EGRESS_ALLOW_PRIVATE_NETWORKS=true. The guard also caps response bodies (default 16 MB) and enforces per-call timeouts so a hostile origin can't pin a worker on a multi-gigabyte payload. Every refusal is recorded as security.egress.blocked and surfaced in the new Egress blocks tab of the Security Center.

Security

  • Tighter default network surface. compose.yml no longer publishes Postgres (5434) or Redis (6381) to the host, and MinIO's S3 port now binds to 127.0.0.1:9100 so a same-host reverse proxy can forward MINIO_PUBLIC_URL to it without exposing the bucket endpoint to the wider network. The MinIO admin console (9101) is no longer published by default.
    • Operators on existing installs who relied on host-side psql / redis-cli against compose: switch to docker compose exec postgres psql ... (or redis-cli), or layer compose.build.yml which still publishes the contributor dev ports.
    • Operators who genuinely need the MinIO console can layer the new compose.console.yml overlay (docker compose -f compose.yml -f compose.console.yml up -d) or SSH-tunnel 127.0.0.1:9101.
    • Set MINIO_HOST_BIND=0.0.0.0 in .env to restore the previous "publish on every interface" behavior (rarely the right answer for internet-facing installs).
  • Public health endpoint reduced to liveness only. GET /health now returns { "status": "ok" } with no version or backend diagnostics - those moved to authenticated GET /health/ready and GET /health/queues endpoints (require audit.read capability for the queue probe). External monitoring agents that scraped the old detailed payload should hit the new private endpoints with a session cookie or be replaced with docker compose exec api curl ... from inside the network.
  • Centralised client-IP handling. Every controller, the audit interceptor, and the tenant-context interceptor now read the client IP from req.ip only (via the new apps/api/src/common/request-meta.ts helper) and never re-parse the raw X-Forwarded-For header. Before this change, hitting the API directly with a forged X-Forwarded-For: header could spoof the IP recorded in audit rows, evaded by the rate-limit and lockout services, etc. The new env var TRUST_PROXY_HOPS (default 1) replaces the hardcoded trust proxy literal in apps/api/src/main.ts - bump it to match your real topology if you run multiple proxies in front of the stack (see docs/CONFIGURATION.md -> "Client IP attribution").

1.5.1 - 2026-04-29

Fixed

  • IPAM resilience against malformed IP values. The subnet occupants query no longer fails when an asset's IP_ADDRESS field somehow contains a non-canonical value (e.g. a multi-NIC RMM agent that flattens addresses to 10.0.0.35, 10.0.0.50). Candidate values are now strict-regex-filtered in SQL and re-validated in JS, so a single bad row can never abort the entire IPAM read.
  • Driver-sourced field validation. The IP_ADDRESS field strategy now refuses to persist values that don't round-trip through its schema, and the integration sync runner re-validates every projected value with the strategy's valueSchema before writing — preventing upstream drivers from leaking malformed values into typed columns.

1.5.0 - 2026-04-29

Added

  • Folder editing. Folders can now be renamed directly from the folder tree.
  • IPAM (IP Address Management). A new dedicated IPAM module for managing IP addresses, subnets, and network ranges across tenants.

1.4.1 - 2026-04-28

Added

  • SMTP email provider. Added SMTP as an email delivery provider.
  • New alert system. Introduced the new alert system.
  • UniFi integration. Added a new UniFi integration driver.

Changed

  • Improved Markdown editor. Upgraded the Markdown editing experience.

1.3.0 - 2026-04-27

Changed

  • Overhauled RBAC. Permissions and access control were refactored to improve clarity, consistency, and maintainability across admin and portal experiences.
  • Updated global tags. Global tags were refreshed and updated across the platform.

1.2.1 - 2026-04-26

Fixed

  • Missing S3 SDK runtime dependency. Added the missing AWS S3 SDK runtime package required in production so S3-backed features no longer fail at runtime due to missing module resolution.

1.2.0 - 2026-04-26

Added

  • Articles can be authored as Markdown or Tiptap (per-article). Storage uses editor_mode plus either Tiptap JSON (content) or raw Markdown (markdown_source); search continues to index content_plaintext for both. The admin article form includes a format toggle; switching formats on an existing article runs a one-time conversion with a confirmation dialog.
  • Vault records can now be exported to PDF. Admin users can generate PDF exports directly from the vault workflow for sharing and archival.
  • Foundation for integration services is now in place. Core sync orchestration and shared integration plumbing were introduced to support provider-specific connectors.
  • Action1 integration was added. The first integration driver is now implemented on top of the new integration services foundation.

Fixed

  • API JSON body limit raised to 2 MB. Express's default 100 KB cap rejected legitimate article payloads — most visibly when converting a larger Markdown article to Tiptap, since the JSON representation expands past the threshold. The new limit comfortably covers the 500 KB MAX_MARKDOWN_SOURCE ceiling and its Tiptap projection while staying bounded against unbounded payloads.
  • Format switches no longer autosave. Switching between Markdown and WYSIWYG is a deliberate, potentially-lossy conversion, so the form now waits for an explicit Save click rather than persisting the converted body 4 s later. The "unsaved" tag still appears, and any subsequent normal edit re-arms the autosave debounce.
  • Tiptap → Markdown table conversion no longer drops to raw HTML. Tables without a <th> row are now promoted to a header row before Turndown sees them (GFM Markdown requires one), and <p> wrappers inside cells are unwrapped — joined with <br> for multi-paragraph cells — so the output is a clean GFM table instead of leaking the original <table> markup.

1.1.5 - 2026-04-24

Added

  • Starred items now cover passwords, assets, and articles in addition to companies. Operators can star or unstar each supported record from its detail page, then reopen it from the admin dashboard or the new sidebar starred drawer with type-specific icons, tenant context, archived-state labels, and direct links.
  • Per-user star storage now exists for every supported entity type. New Prisma models and migration tables track starred passwords, assets, and articles with user/entity uniqueness and cascade cleanup. The /me/stars API now returns a single mixed list and exposes idempotent star/unstar routes for companies, passwords, assets, and articles.

Fixed

  • Unauthenticated visits to / no longer emit a large RSC redirect body. Next.js now handles the missing-session redirect to /login at the routing layer, avoiding noisy "Big Redirect" findings while preserving authenticated role-based routing.
  • Next.js static assets now ship minimal security headers. The /_next/static/* tree gets X-Content-Type-Options: nosniff and a restrictive Content-Security-Policy even though the edge proxy skips Next internals for HMR compatibility.

1.1.4 - 2026-04-23

Changed

  • Node.js 24 is now the minimum supported runtime. Node 20 maintenance LTS reaches end of life on 2026-04-30. All Docker images (api, web, worker) now build on node:24-alpine, engines.node is >=24.0.0, and CI runs on Node 24. @types/node is pinned to ^24.0.0 across the workspace. Self-hosted deployments should confirm their host runtime is on Node 24 before upgrading.
  • pnpm 10 is now the workspace package manager. packageManager in root package.json is pinned to pnpm@10.33.2 and CI runs the same version. pnpm 10 no longer runs install scripts by default; the allow-list is declared in pnpm.onlyBuiltDependencies (prisma, @prisma/client, @prisma/engines, @nestjs/core, argon2, sharp, msgpackr-extract, unrs-resolver). Contributors should run corepack enable once; subsequent pnpm invocations inside the repo will auto-use the declared version.
  • TypeScript, Jest, and ts-jest bumped to the latest 5.x / 30 lines. TypeScript 5.6 → 5.9, Jest 29 → 30.3, @types/jest 29 → 30, ts-jest floor raised to 29.4.9 (still the latest; ts-jest has not cut a v30 but its 29.4.x line is officially compatible with Jest 30). No test or jest config changes were required. A separate future PR will handle the TypeScript 5.x → 6.x jump, which has real breaking changes.
  • Zod floor raised from ^3.23.8 to ^3.25.0. Resolves to zod@3.25.76, the latest of the actively-maintained 3.x line. A full workspace-wide bump to Zod 4.x is deferred while an upstream z.enum inference regression is resolved.

Fixed

  • Release workflow no longer hangs for 40+ minutes on worker linux/arm64. The pipeline now builds each architecture on its native runner (ubuntu-24.04 for amd64, ubuntu-24.04-arm for arm64) and a separate manifest job stitches them into a multi-arch image — no more QEMU emulation and no more illegal-instruction crashes during pnpm install.
  • pnpm 10 prod-prune step failed inside Docker with ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY. pnpm 10 added a safety rail that refuses to remove/recreate node_modules non-interactively unless it detects it's running in CI. The api/worker Dockerfiles now prefix the prune step with CI=true.

Deferred (for future PRs)

  • Prisma 5 → 6+. Prisma 6 removes the $use middleware hook in favour of Client Extensions ($extends). Our PrismaService middleware enforces tenant isolation on every query — security-critical code that deserves its own dedicated migration PR.
  • TypeScript 5 → 6. New defaults (strict: true, types: [], inferred rootDir) require a workspace-wide tsconfig.json audit; not a drop-in bump.
  • Zod 3.25 → 4.x. Blocked on upstream inference fix for z.enum(array).

1.1.3 - 2026-04-23

Fixed

  • Client viewers can reveal permitted client-visible passwords again. CLIENT_VIEWER memberships are now included in password.reveal authorisation, with existing visibility and restriction checks still enforced in the passwords service.
  • Article excerpts no longer render twice on read pages. The separate excerpt block was removed from admin and portal article views to avoid duplicate intro text.
  • Article edit pages now expose file attachments. The attachments panel is now available in the article form sidebar/sheet so operators can manage uploads during editing.
  • Article browser layout now shrinks correctly in split panes. Added the missing min-width: 0 constraint to prevent overflow in constrained admin layouts.
  • Password detail pages now show the linked asset name. The linked asset is resolved and displayed as the outbound link label instead of generic copy.
  • Password reveal and inline warning surfaces use valid theme tokens. Replaced stale CSS variables with supported tokens so reveal states and warning chips render consistently across themes.

1.1.1 — 2026-04-23

Added

  • Asset layout rename & archive. Global asset layouts can now be renamed in place and archived (soft-deleted) from the layout list. A dedicated archive dialog warns before removing a layout still in use by existing assets. Archived layouts stop appearing in the asset creation picker but remain viewable on historical assets.
  • "Other" free-text option on dropdown fields. Asset layout dropdowns can opt in to an "Other…" escape hatch that lets users enter a one-off value without polluting the shared option list.
  • Reorderable dropdown & multiselect options. Drag-and-drop reordering of option lists in the asset layout builder.
  • IP address field type. New first-class field kind for asset layouts (IPv4/IPv6, optional CIDR). Lays the groundwork for the upcoming IPAM feature.

Fixed

  • Text file uploads rejected as audio/mpeg. UTF-16 LE's FF FE byte-order mark collides with the MPEG frame-sync pattern, causing BOM-prefixed .txt files (BitLocker recovery keys, Notepad exports, Excel CSVs) to be rejected on upload. Uploads now peek for UTF-8/16/32 BOMs before running file-type and short-circuit to text/plain.
  • 429 rate limits masquerading as 404s in SSR. The global throttler previously keyed every authenticated request on the Express socket peer — the web container's internal bridge address, shared by all operators. Rate limiting is now keyed on req.user.id, and 429 responses surface a dedicated error panel with a cooldown timer and auto-retry button.
  • Safari constantly prompting to save passwords. The password create/edit dialog's inputs looked like a login form to Safari's password manager. Fixed via input naming, autocomplete hints, and corrected form semantics.

1.1.0 — 2026-04-22

Added

  • Password vault. Per-tenant password manager with envelope-encrypted secret, notes, and TOTP fields. Every ciphertext is stamped with a key ID (PASSWORD_ENCRYPTION_KEY_KID) so keys can be rotated without downtime. Version history, archive/restore, credential attachments, and a full reveal-audit trail are first-class.
  • Password generator. Local, offline generator with words + symbols, passphrase, and custom-length modes. A 200-word EFF-style wordlist ships with the web app.
  • zxcvbn strength meter on password entry, with realtime score, warning, and suggestions.
  • HaveIBeenPwned breach check. Worker-side k-anonymity lookup (SHA-1 prefix only) on every password create/update. Toggled by HIBP_ENABLED (default true).
  • Expirations tracker. Global /admin/expirations and per-company views rolling up upcoming and past-due expiry dates across assets and passwords.
  • Audit log pagination. Server-side cursor pagination with configurable page size and URL-sticky filters.
  • MFA QR code rendered inline during TOTP enrollment.
  • reencrypt-passwords CLI. Bulk re-encryption after a key rotation or blob-format migration.

Changed

  • prisma migrate deploy now runs inside the api container on startup instead of as a separate one-shot migrate service. Removes the exit-0 container that some Docker UIs flagged as an error.
  • Persistent data now lives in bind-mounted host folders under $DATA_DIR (defaults to ./data) instead of named Docker volumes.
  • compose.yml no longer hard-codes a Compose project name.
  • scripts/keygen.sh / scripts/keygen.ps1 now emit PASSWORD_ENCRYPTION_KEY alongside other secrets.

Fixed

  • Sharp (libvips) native module on linux/amd64 musl.
  • Docker web image now builds @weavestream/shared before the Next.js build step.

Upgrading from 1.0.0

  1. Re-download compose.yml and .env.example from the v1.1.0 tag.
  2. Add PASSWORD_ENCRYPTION_KEY and PASSWORD_ENCRYPTION_KEY_KID to .env.
  3. Optionally set HIBP_ENABLED=false if your deployment cannot reach api.pwnedpasswords.com.
  4. Migrate existing data from named volumes to bind-mount folders before the first up (see the upgrade guide).

1.0.0 — 2026-04-21

Initial public release.

Highlights

  • Postgres-backed, Docker-first IT documentation platform.
  • Tenant documentation with Tiptap-based rich-text articles, folders, photo galleries, and per-organisation asset layouts.
  • Invite-only user management with forced TOTP MFA and append-only audit logging.
  • Two-layer RBAC: global roles combined with per-tenant memberships.
  • Read-only client portal per tenant, with server-side field scoping.
  • MinIO-compatible object storage with one bucket per tenant.
  • Domain & SSL expiry monitoring.
  • Full-text search across articles, assets, and uploads.
  • Configurable workspace branding and tenant terminology from the admin UI.
  • Mobile-responsive admin shell and client portal.
  • Multi-arch container images (linux/amd64, linux/arm64) at ghcr.io/weavestream/weavestream-*.

Known limitations

  • No built-in TLS termination; front with a reverse proxy.
  • Single-tenant Postgres (shared schema with companyId scoping).
  • English UI only.