Skip to content

Releases: lenneTech/nest-server

11.27.4

Choose a tag to compare

@kaihaase kaihaase released this 04 Jul 07:23
15a92ba

Stabilize test tooling under parallel load: scope the idle watchdog to test steps, label signal-killed steps, and add an opt-in CHECK_LOW_RESOURCE e2e throttle.

11.27.3

Choose a tag to compare

@kaihaase kaihaase released this 03 Jul 19:18
b22edf2

Prevent API process crash by routing fire-and-forget auth verification email sends through sendAuthEmailSafely, so a failed send (SMTP down/delivery error) is logged instead of surfacing as an unhandled rejection.

11.27.2

Choose a tag to compare

@kaihaase kaihaase released this 22 Jun 20:32
28a4ffe

Fix check.mjs hiding devDep vulns for library packages by running the chain's own audit command verbatim.

11.27.1

Choose a tag to compare

@kaihaase kaihaase released this 22 Jun 19:37
70572f2

Introduce scripts/check.mjs: discovers each workspace project's check chain, runs steps with live status, and reports metrics per step.

11.27.0

Choose a tag to compare

@kaihaase kaihaase released this 14 Jun 19:40
1f5565a

Expose build identity (commit SHA + version) via health check so drifted containers are detectable after partial rollouts

11.26.3

Choose a tag to compare

@kaihaase kaihaase released this 03 Jun 18:01
202bc08

Prevent broken unnamed enum $ref in OpenAPI output by skipping swaggerOpts.type when an enum is set.

11.26.2

Choose a tag to compare

@kaihaase kaihaase released this 03 Jun 15:37
a90874b

Add COOKIE_PREFIX env to isolate session cookies on shared hosts, with cross-layer lockstep resolver and e2e regression guard

11.26.1

Choose a tag to compare

@kaihaase kaihaase released this 31 May 21:37
0779d58

Expose roles in REST auth response so clients can gate admin areas without a second round-trip

11.26.0

Choose a tag to compare

@kaihaase kaihaase released this 31 May 12:04
f5fe09f

AI Assistant Module: a fully opt-in, multi-tenant-capable, OWASP-aligned assistance system with DB-backed LLM connections, role-filtered tool registry, governed safety mechanisms, and MCP server integration — introduced on branch feature/ai-module.

Core Features:

  • DB-backed LLM connections with AES-256-GCM encrypted API keys (admin CRUD, hasApiKey output, production-secret guard)
  • Provider abstraction (OpenAiCompatibleProvider, ClaudeCliProvider) with auto-detection of supportsNativeTools / supportsJsonResponse / contextWindow
  • Prioritized connection-resolution chain (global default → tenant default → user default → client selection → tenant/admin enforced)
  • Role-filtered tool registry with mutating / destructive flags and pre-flight authorize() hooks
  • Plan mode with all-or-nothing pre-flight authorization of every planned step
  • Confirmation policy (mutating.default/enforced, destructive always-confirm, persistent tool grants "remember my choice")
  • Scoped tool policies (deny / ask / allow against tool arguments via regex)
  • Lifecycle hooks (PreToolUse / PostToolUse / SessionStart / Stop)
  • Token budgets per user AND per tenant (day / month / none reset windows, cumulative usage report, HTTP 429 with i18n translation)
  • Multi-turn conversations with $push-based message persistence and capped retention
  • SSE streaming endpoint (POST /ai/stream) plus REST and GraphQL single-shot
  • Multi-modal attachments (image URLs / dataUrls in prompts)
  • Admin-defined named agent modes with allowedTools filter and prompt addendum
  • Self-optimizing prompts (admin-editable tenant-scoped slots with override/reset, fragment-based builder, soft-delete via enabled: false)
  • Governed learning loop (prompt hints from tool failures, admin-approval-gated or autoApply)
  • User-facing prompt templates (scope: user|tenant, owner-only mutations)
  • Runtime placeholder registry ({{userId}}, {{roles}}, {{tools}}, …, project-specific placeholders dynamically registrable)
  • LLM-driven context compaction on context-window overflow with hard-trim fallback
  • Deferred tool schemas plus built-in search_tools meta-tool for large tool catalogs
  • Built-in ask_user_question tool for interactive clarification
  • Audit logging into aiInteractions (admin-readable, prerequisite for budgets)
  • MCP server (/ai/mcp Streamable HTTP) with lazy-loaded @modelcontextprotocol/sdk and 503 fallback when the SDK is missing
  • OAuth 2.1 for MCP clients (HMAC-SHA256 access tokens with timingSafeEqual, PKCE S256-only, refresh-token rotation bound to client ID, dynamic client registration with persisted client_secret)
  • SSRF allowlist for connection base URLs (ai.allowedBaseUrlHosts)
  • Per-user rate limiting (max / windowSeconds)
  • Three-layer security model (@Restricted / @Roles / securityCheck) with global stripping of apiKeyEncrypted and all token fields
  • Multi-tenancy isolation on slots, prompts, hints, budgets, and conversations
  • Full override hooks for every collaborator via ICoreModuleOverrides.ai

11.25.6

Choose a tag to compare

@kaihaase kaihaase released this 24 May 08:27
dd372b8

Bump dependencies and security overrides; disable BetterAuth user-cache in Playwright/lt-dev E2E for fresh roles