2026-07-01
- Docs: refreshed the Stainless-transition customer-success support pack.
- Added public-reply, inbound-DM, demo-call, existing-SDK, and Anthropic-safe response drafts.
- Tightened fit/no-fit FAQ language for broad SDK/docs/MCP parity versus Valkyr spec-to-secure-running-stack work.
- Expanded GrayMatter demo language around schema-aware durable memory tied to app objects, business objects, decisions, tasks, and retrieval receipts.
2026-06-30
- Fix: enabled repo-root Husky installation for the web workspace.
- Updated the frontend
preparescript to install hooks into the monorepo root.huskydirectory instead of failing from the nested web workspace. - Verified Husky now creates the root helper files and sets local Git
core.hooksPathto.husky/_, allowing the existingpre-commitandpre-pushhooks to execute.
- Updated the frontend
2026-06-28
-
Fix: GrayMatter/Valkyr ACL replay agents can now create the internal
ROLE_STAFFandROLE_RESELLERAclSid authority rows needed for ContentData internal visibility grants.- Kept arbitrary authority SID creation denied unless the caller has admin, trusted system auth, or explicit AclSid type permission.
- Added focused policy coverage for allowed internal visibility authority replay and denied admin authority replay.
-
Security: Protected team project snapshots
- Restricted
/v1/team-projects/**to admin/developer users before the broad generated GET rule. - Added method-level guards on
TeamOrchestratorControllerso internal worker metadata, task payloads, and git activity are not exposed anonymously. - Added regression coverage for route ordering, method-level authorization, and centralized CORS behavior.
- Restricted
2026-06-25
-
Fix: GrayMatter activation bridge responses now include a non-secret lifecycle audit trail.
- Bridge creation, signup, credit, payment, memory-query, and failure events are visible on bridge, event, and retry responses so ValorIDE/OpenClaw can explain activation recovery state without logging signatures or tokens.
-
Feature: Stainless transition CRM routing now carries the latest signal sweep into sourced lead, content, and positioning records.
- Seeded DealerMax, CoinRithm, CUGA, Sterling, and Knowledge Stack with source URLs, confidence levels, and guarded Stainless/OpenAPI/MCP evidence labels.
- Added content brief and proof-block data that keeps the
/stainless-alternativenarrative centered on GrayMatter memory, RBAC, SecureField, TrustFabric, and isolated instances.
-
Fix: ThorAPI spec ingestion now requires an explicit host allowlist before trusted-mode external HTTP(S)
$reftargets can pass validation.- Untrusted specs still fail closed for remote and local file
$reftargets before enhancement/codegen. - The rules validator emits
THORAPI_SPEC_REF_POLICYaudit log decisions for blocked and allowed external references.
- Untrusted specs still fail closed for remote and local file
-
Fix: exposed explicit Stripe Checkout mode selection for authenticated checkout sessions.
/v1/checkout/create-sessionnow acceptsmode: "payment" | "subscription"for ad-hoc offer checkout payloads.- Invalid checkout modes return
invalid_checkout_modebefore touching Stripe. - Added focused controller and Stripe module regressions for recurring explicit-amount checkout, including GrayMatter Early Access-style subscription payloads.
-
Feature: isolated one-click instance readiness now has a deterministic smoke spine.
- Added
scripts/isolated-instance-smoke.shto report deployment launcher, template, tenant-release-gate, dry-run spec, live deployment, status polling, GrayMatter, and TrustFabric stages aspass,fail,skipped, ormanual_required. - Added
scripts/test-isolated-instance-smoke.shso the local smoke contract proves incomplete live stages are labeled honestly. - Documented the smoke command in
deploy/README.md.
- Added
-
Fix: generated client freshness now fails when canonical OpenAPI/template inputs drift from
scripts/codegen-inputs.lock.scripts/codegen-inputs.sh validatenow compares the recomputed manifest to the committed lock instead of only checking readability.- Added a focused shell contract test for both the clean-lock and stale-lock paths.
- Documented the version bump and lock refresh workflow for intentional generator input changes.
2026-06-19
- Fix: OAuth signups now resume the white-paper signup funnel instead of dropping new GitHub/Google users into a separate onboarding route.
- The OAuth callback hydrates the authenticated principal through
/auth/me, stores only non-secret signup context, and routes new users to/funnel/white-paper?signupStep=organization. - The enhanced white-paper funnel starts authenticated OAuth users at organization setup with available email, name, avatar, provider, and organization hints already primed.
- Cypress coverage now includes sensible signup edge cases plus mocked GitHub and Google OAuth callback resumes.
- The OAuth callback hydrates the authenticated principal through
2026-06-12
- Fix: runtime starvation diagnostics now classify severe Hikari housekeeper stalls as P0 operational events when a stall exceeds the critical threshold or repeats inside the configured window.
- Diagnostic payloads now include severity, critical threshold, repeat window, and repeat-window evidence so operators can separate one-off warnings from launch-blocking runtime stalls.
2026-06-11
- Feature: Rating feedback can now flow into SkillOpt learning.
- Generated
Ratingcreation now uses a thin primary delegate override that still saves through the generatedRatingService, then creates a SkillOpt outcome when rating metadata includes a route receipt ref. Rating.metadatacan carryrouteReceiptRef/skillOptRouteReceiptRef,outcome,traceId, andactualCreditCost; missing outcome is inferred from the 0-100 rating score.- Plain ratings without SkillOpt metadata remain ordinary generated Rating records, while linked ratings create
SkillSignalthrough the existing SkillOpt outcome path and procedure-confidence updates.
- Generated
- Fix: GrayMatter ContextPage hydration now writes a first-class hydration receipt event.
- Hydrate responses include a generated
ContextTraversalEventwithHYDRATE_SOURCE,ctxhyd-*receipt refs, pointer refs, trace continuity, and ACL-recheck reason metadata. - Hydrated ContextPages now carry the hydration receipt ref in policy and recommend
recompress_after_hydration, making the compile -> hydrate -> recompress lifecycle auditable. - Receipt metadata stores pointer refs and counts only; raw hydrated memory/source text remains on the ACL-checked ContextPage item and is not copied into receipt metadata.
- Hydrate responses include a generated
- Fix: GrayMatter ContextPage hydration now supports internal Valkyr Labs agents running in the main control-plane schema.
- ContextPage read/hydration ACL rechecks still require ownership or platform admin for ordinary callers.
- Authenticated callers with
ROLE_VALKYR_AGENTcan now hydrate main-schema ContextPage memory pointers owned by another platform principal, matching the tenant schema resolver's internal-agentmaincontext behavior. - Added focused regressions proving ordinary users cannot hydrate another owner's memory pointer while Valkyr platform agents can.
- Fix: ThorAPI tenant app generation now preserves billable partial receipts when post-generation evidence persistence fails.
- If ThorAPI reaches the billable completion milestone and the credit debit receipt is settled, later artifact/build/runtime-binding persistence failures now write a
PARTIALbillableGenerationReceiptwith reservation and debit receipt refs instead of replacing the chain with a non-billable failure. - Pre-billable failures still release reservations and remain non-billable.
- Added regression coverage for the debit-settled, evidence-persistence-failed path.
- If ThorAPI reaches the billable completion milestone and the credit debit receipt is settled, later artifact/build/runtime-binding persistence failures now write a
- Fix: GrayMatter and SkillOpt ops endpoints now authenticate before the generic generated
GET /v1/**fallback.- Added explicit coverage for
/v1/graymatter_ops/**and/v1/skillopt_ops/**, including the snake_case ContextPage endpoints generated by ThorAPI. - Extended the GrayMatter security contract so those operational routes cannot drift into public cache/read behavior.
- Added explicit coverage for
- Fix: SkillOpt now fails closed for sensitive routes when human approval is required but unavailable.
- High-risk, critical-risk, or restricted-privacy tasks now stop with
STOP_POLICY_DENIEDandapproval_unavailableinstead of falling through to hydration, procedure, workflow, or model execution. - When an approval route is available, SkillOpt returns
ASK_HUMAN_APPROVALbefore execution. - Added focused route regressions for both approval-unavailable and approval-available paths.
- High-risk, critical-risk, or restricted-privacy tasks now stop with
- Fix: GrayMatter ContextPage traversal now updates the ContextPage lifecycle state.
- Traversal events now mark the page
TRAVERSED, carry a traversal receipt ref in policy, update the compact summary with the scope transition, and refresh token estimate/recommended action. - Extended ContextPage runtime coverage so conversation/task movement is visible on both the traversal receipt and the working ContextPage.
- Traversal events now mark the page
2026-06-10
- Feature: Stripe revenue audit now has generated customer, checkout, and subscription bookkeeping.
- Added ThorAPI-generated
StripeCustomerLink,StripeCheckoutSession, andStripeSubscriptionmodels plus Java/TypeScript services. - Stripe checkout webhook processing now writes generated customer-link and checkout-session audit rows while keeping
PaymentTransaction/CreditsServiceas the internal credit source of truth. - Stripe subscription lifecycle webhooks now write generated subscription/customer-link audit rows before applying entitlement changes.
- Stripe recurring invoice fulfillment now links renewal credits back to generated
StripeSubscriptionrows with invoice, payment intent, billing month, idempotency key, and non-secret renewal receipt metadata.
- Added ThorAPI-generated
- Feature: revenue-platform billable holds and debit receipts now carry explicit generated tenant/account/organization scope.
CreditReservationandCreditDebitReceiptgained ThorAPI-generatedtenantId,accountId, and nullableorganizationIdfields plus query indexes.- Credit reservation debits inherit scope from the reservation, and ThorAPI tenant app generation stamps tenant/account scope while deriving organization scope from generated application data-plane binding evidence when available.
- Focused revenue/app-generation tests now assert explicit scope on reservation and debit records.
- Feature: tenant app generation now records first-class generated spec and artifact evidence.
- Added ThorAPI-generated
AppSpecDraft,AppObjectModel,ThorApiSpecRevision, andGeneratedArtifactmodels plus TypeScript clients. - App generation requests/runs now link spec draft, object model, ThorAPI spec revision, package ZIP artifact, and manifest artifact refs into generated runs, artifact sets, and receipts.
- Added ThorAPI-generated
2026-06-06
- Fix: account privacy routes under
/v1/compliance/**plus/v1/auth/login-historynow require authentication before the generic generatedGET /v1/**fallback can expose data exports, privacy summaries, deletion actions, or masked login audit history. - Fix: operational table and summary statistics under
/v1/statistics/tablesand/v1/statistics/summarynow require authentication before the generic generatedGET /v1/**fallback, and the ObjectStatsPanel sends those dashboard requests with included credentials while marketing-safe public statistics such as/v1/statistics/generalremain available. - Fix: SWARM agent chat history under
/v1/agent-chat/**now requires authentication before the generic generatedGET /v1/**fallback can match agent conversation metadata or encrypted chat history. - Fix: creator monetization reads for service lists, earnings, and revenue previews now require authentication before the generic generated
GET /v1/**fallback, while public marketplace/service detail reads remain public. - Fix: generated identity and billing DataWorkbook reads for
Principal,Customer,Organization,IntegrationAccount,AccountBalance,UsageTransaction, andPaymentTransactionnow require authentication before the generic generatedGET /v1/**fallback can match list, stats, or detail routes. - Fix: SageChat follow-up question cards now strip nested
<question>protocol tags and render JSON-array<options>payloads as separate selectable option rows instead of one raw array blob.- Follow-up question rendering now also tolerates encoded command entities and attribute-bearing question/options tags, keeping the question text inside the question block and each option as an individual clickable row.
- Fix: Customer Launchpad app listing and launch-token routes now have runtime MockMvc coverage proving anonymous callers cannot list or launch tenant applications even with CSRF.
- Customer Launchpad launch clicks now fail closed when
/v1/launchpad/apps/{applicationId}/launchdoes not return a tokenized runtime URL, preventing the dashboard from silently opening raw registered runtime or entrypoint URLs. - Customer Launchpad launch tokens are now issued only for HTTP(S) runtime or entrypoint URLs without embedded userinfo, and tokenized launch URLs preserve existing query strings and fragments instead of appending the token after a fragment.
- Customer Launchpad launch clicks now fail closed when
- Fix: generated DataWorkbook tables now serialize RBGrid next-page requests with ref-backed page, in-flight, loaded-page, and reset-version guards so scroll/keyboard prefetch cannot reuse stale React state or merge old reset responses while loading additional paged rows such as
ContentData.- DataWorkbook pagination now starts from backend page
0, matching the generated ThorAPI pageable contract instead of skipping the first page and drifting the RBGrid append cursor. - Page append now always merges into the accumulated RBGrid dataset; the generator no longer clears already loaded rows when fetching backend page
1.
- DataWorkbook pagination now starts from backend page
2026-06-05
-
Fix: SageChat command protocol now keeps deterministic command authority server-side while preserving rich frontend UX synchronization.
CommandProcessor.getCommandGuide()remains the LLM command source of truth, including the invariant that command XML/JSON is executor protocol and must not be pasted as explanatory chat text.- The frontend command reference is now a compact UX/operator reference only, naming supported command cards, view/tab opening, Workflow Studio graph and ExecModule sync, Aurora composition, server/deployment wizard flows, report opening, app-factory intent routing, WebSocket/SWARM ValorIDE control, live tenant runtime logs/events, command ack/error/progress, and dynamic panel synchronization.
- Server command guidance now treats tenant ValkyrAI instances as first-class runtimes: ValorIDE agents registered to a tenant instance can run that tenant's workflows through the tenant runtime boundary, while shared ValkyrAI/api-0 commands remain Valkyr RBAC scoped and must resolve explicit tenant/application/runtime scope before crossing into tenant data, logs, workflow state, shell output, deployments, app-factory work, or ValorIDE control.
- ValorIDE SWARM execution now forwards non-secret runtime scope in the command envelope, permits local tenant-instance agent/workflow control, and fails closed for shared-control-plane commands that omit tenant/application/runtime scope.
- The central SWARM command forwarding service now applies the same shared-control-plane scope boundary for REST and WebSocket command traffic while preserving ordinary targeted messages and direct-dispatch policy denials.
/swarm-ops/commandnow returns generatedcommandIdandrejectionCodereceipts, and the ValorIDE Swarm Control Panel dispatches generatedSwarmMessagecommands through that server route so the UX reflects authoritative accepted/rejected/failed state instead of browser-simulated completion.- ValorIDE Swarm Dashboard discovery, activation, and suspend calls now use the shared authenticated API fetch rail with cookie, CSRF, and organization-header handling instead of local sessionStorage JWT fetches.
- SageChat now renders workflow and completion XML as informative command cards instead of raw protocol text, while still executing persisted workflow commands through real REST endpoints and dispatching UI intents for live panel state.
- The in-chat command guide now uses natural-language examples and documents XML/JSON as executor protocol, preventing the UX from encouraging users to paste raw command envelopes.
- Tenant file list, metadata, download, and S3 diagnostic routes under
/v1/files/**now require authentication before the generic generatedGET /v1/**fallback can match them. - Runtime isolation and SWARM control-plane metadata routes under
/v1/runtime/**,/v1/swarm-ops/**,/v1/swarm/agents/**,/v1/agents/**, and/v1/team-projects/**now require authentication before the generic generatedGET /v1/**fallback can match them. - Workflow module/control-plane routes under
/v1/modules/**,/v1/module-schemas/**,/v1/execmodules/**, legacy/v1/execModule/**,/v1/workflow-tasks/**, and command ABI/v1/abi/**now require authentication before the generic generatedGET /v1/**fallback can expose module metadata, schemas, exports, config contracts, command rules, or task details. - App-factory, workflow-design, project-manager, JSON CRUD, and Sage slash-command routes under
/v1/app-factory/**,/v1/workflow/design/**,/v1/project-manager/**,/v1/json-crud/**, and/v1/slash-command/**now require authentication before the generic generatedGET /v1/**fallback can expose app-generation templates, workflow design streams/catalogs, or command telemetry. - Docs-fragment routes under
/v1/docs/fragments/**now require authenticated users before the generic generatedGET /v1/**fallback can expose workflow, schema, module, or LLM-context fragments, while API telemetry routes under/v1/metrics/api/**and/v1/api/telemetry/**now requireADMIN,DEVELOPER, orSYSTEM. - Exact account/workflow/MCP/GrayMatter read roots (
/v1/credits,/v1/workflow,/v1/vaiworkflow,/v1/mcp,/v1/memory,/v1/mo, and/v1/graymatter) now require authentication before the generic generatedGET /v1/**fallback can match them. - Exact collection/root routes for deployment, ThorAPI generation, schema evolution, and workflow-test control surfaces (
/v1/deployments,/deployments,/v1/thorapi,/v1/schema-evolution, and/v1/workflow-test) now carry the same guards as their child routes so they cannot fall through to anonymous generated GET handling. - Admin/operator routes under
/v1/admin/**now require platformADMINbefore the generic generatedGET /v1/**fallback can match them, while/v1/admin/careers/**preserves the explicitADMIN/RECRUITERconsole boundary. - Dashboard ops routes under
/v1/ops/**now requireADMIN,DEVELOPER, orSYSTEMbefore the generic generatedGET /v1/**fallback can match launcher contracts, loop contracts, or uptime telemetry.
-
Docs: published the spec-to-stack readiness matrix for Stainless-transition demo calls.
- Added explicit Ready / In progress / Planned / Custom scoping / Not a fit language for buyer conversations.
- Covered ThorAPI backend generation, TypeScript client freshness, multi-language SDK limits, docs/MCP parity, RBAC, SecureField, TrustFabric, GrayMatter, Stripe-paid plans, isolated instances, and deployment flow.
- Linked the matrix from the Stainless demo-call playbook and SDK coverage FAQ so sales/support have one canonical limitations reference.
-
Feature: added ThorAPI-owned tenant isolation registry schemas for multi-tenant data-plane control.
- Added
TenantSchemaRegistry,ApplicationDataPlaneBinding,TenantRuntimeBinding,TenantSchemaBundle,TenantSchemaOperation, andTenantSchemaAccessAudittoapi.hbs.yamlwith explicit relationship/query indexes. - Regenerated backend Java models/services and frontend TypeScript models, RTK Query services, forms, tables, and charts from the ThorAPI spec.
- Organization schema provisioning now persists generated
TenantSchemaRegistryandTenantSchemaOperationlifecycle rows for provision, validation, delete, and failure states. - Organization schema provisioning no longer emits handwritten tenant table DDL; table shape stays owned by ThorAPI/Hibernate bundles after schema creation and registry validation.
- Hosted AWS deployment UX now verifies an active generated
TenantSchemaRegistryrow before review/launch and passes registry metadata into the runtime manifest. - Lightsail deployment planning now enforces the generated tenant schema registry server-side when the repository is available, preventing API callers from bypassing the dashboard registry gate.
- Successful hosted deployments now persist generated
ApplicationDataPlaneBindingandTenantRuntimeBindingrows, then stamp their ids and runtime/data-plane mode back onto deployment metadata. - Runtime binding and application data-plane promotion now write generated
TenantSchemaOperationlifecycle rows withbind_runtimeorpromote_data_planeoperation types, deployment-actor approval, and deployment request correlation. - Tenant data-plane promotion contract coverage now proves every prior active/validating application write-plane binding is retired before the promoted binding becomes active, and the runtime binding plus lifecycle operation point at the promoted data plane.
- ThorAPI tenant-scoped code generation now persists generated
TenantSchemaBundlemodel/table manifests, supersedes prior active manifests for the same tenant/application, updates registry bundle/checksum metadata, and writes anapply_bundleTenantSchemaOperationwithout emitting handwritten table DDL. - Tenant bundle manifests now enforce schema-declared
x-valkyr-scopevalues, reject missing scope and derived table collisions, prefixorg_schemaapp-private tables with<appid8>_, prefix shared business tables withshared_, and keep app-private table names unprefixed for app-schema/app-database placements. - Tenant bundle manifests now carry referenced component model names for
$reffields and reject shared-model dependencies on app-private models while allowing app-private models to reference shared contracts. - External or cross-app component references in tenant bundles now fail closed unless the relationship field declares
x-valkyr-relationship-contract: shared, and declared shared external contracts are retained in the generated bundle manifest. - Runtime schema column auto-expansion no longer runs as an application startup DDL mutator; field sizes, relationships, indexes, and tenant table shape remain owned by ThorAPI/OpenAPI specs, generated entities, Hibernate DDL, or ThorAPI-generated schema reconciliation ledger entries.
- Deployment defaults now advertise the ledgered
VALKYRAI_SCHEMA_RECONCILIATION_ENABLED=trueruntime contract instead of the removedVALKYRAI_SCHEMA_AUTO_EXPAND_COLUMNSstartup-mutator flag across Lightsail plans, deploy helpers, Docker, Helm, local Kubernetes, native runners, and dashboard-generated Lightsail specs. - Added generated
SchemaEvolutionLedgerThorAPI schema with explicit schema/status, category/status, safe/status, planned-time, and migration-identity indexes so schema reconciliation is durable, queryable, and idempotent instead of an invisible startup patch. - Schema evolution preview now returns typed reconciliation changes, marking generated string-widening and enum-constraint expansion as safe auto-apply candidates while requiring manual review for data backfills, nullable column adds, and unknown DDL shapes.
- Safe generated schema reconciliation now runs automatically and transparently when enabled: string-widening and enum-expansion changes are applied under a database/JVM lock, written to
SchemaEvolutionLedgerwith generated migration identities and statement hashes, and skipped on later boots once the ledger records the change. - The multi-tenant PRD now explicitly allows Flyway-style ledgering only when ThorAPI generates the migration identity and SQL from spec deltas; safe widening/enum expansion remains automatic and transparent, while handwritten migration files remain disallowed for normal ThorAPI drift repair.
- Unsafe generated reconciliation changes such as data backfills are recorded as
manual_review_requiredwithout executing SQL, preserving the audit trail without turning schema drift repair into a data-mutation side channel. - Generated
SchemaEvolutionLedgerDataWorkbook routes are denied alongside the tenant isolation registry/control models; operators use the lowercase ADMIN-only schema-evolution preview/reconcile surface instead of browsing generated control rows directly. - Runtime security coverage now proves anonymous and non-admin callers cannot use lowercase schema-evolution preview, reconcile, or settings routes; schema reconciliation remains an ADMIN-only ThorAPI-generated rail, not a generic DataWorkbook or public
/v1/**fallback. - LCARS Platform Ops now exposes the same lowercase schema-evolution preview/reconcile surface in the Tenant Schemas panel, showing planned, safe, manual-review, and applied counts without exposing generated ledger DataWorkbook browsing.
- Tenant bundle registration now revalidates any generated
ApplicationDataPlaneBindingbefore manifest persistence, requiring the binding to belong to the same registry/application and to use the exact server-derived org/app schema or validated app-database placement. - Tenant bundle registration now rejects platform-owned model/table contamination such as
Principal,Customer,Invoice,UsageTransaction, payment, credit, and Valkyr billing control objects before any tenant allowlist is persisted. - SecureField KMS default-key derivation is now tenant-aware for generated/domain objects that expose tenant schema, tenant registry, application database, or owner scope, preventing unrelated tenant records without an explicit
keyHashfrom converging on the same generated key material. - Added the admin-only
/v1/tenant-schemascontrol surface for audited registry reads, health checks, validation operations, audit lookup, and manifest-allowlisted tenant object inspection. - Tenant object inspection now resolves schema names from
TenantSchemaRegistryand table names from activeTenantSchemaBundlemanifests only; no request-provided schema/table names or free-form SQL endpoints are accepted. - Tenant object inspection now ignores generated model field entries and generic OpenAPI schema metadata when deriving allowlisted tables, preventing field names or
type: objectfragments from becoming tenant object browse targets. - Tenant object inspection now revalidates the registry schema as canonical
org_<uuid>before bundle lookup or SQL execution, and writes failed audit rows for noncanonical registry schema attempts. - Tenant object inspection now carries each active bundle's application data-plane placement through the allowlist:
app_schemabundles read only the server-derivedorg_<uuid>_app_<8hex>schema, whileapp_databaseandbyoc_databasebundles fail closed until a runtime-specific admin datasource is available instead of falling back to the registry org schema. - Tenant schema health and validation now use the same application data-plane placement contract:
org_schemaandapp_schemabundle tables are checked only in their derived schemas, whileapp_databaseandbyoc_databasehealth is reported as requiring the paid runtime datasource instead of being misread from the registry schema. - Tenant-admin app-database/BYOC object inspection now routes through
TenantSchemaExecutionServiceand becomes available only when the server enters a matching runtime admin data plane; shared/api-0 datasource attempts remain failed closed and audited. - Tenant object inspection now redacts common credential, key, token, authorization, and bearer column variants before admin list or record payloads leave the service.
- LCARS Platform Ops now exposes an admin-only Tenant Schemas panel that reason-gates registry reads, health checks, active ThorAPI bundle evidence, validation, audit lookup, and allowlisted object inspection through
/v1/tenant-schemasinstead of generic DataWorkbook browsing. - Tenant Schemas LCARS health now renders per-object placement verification, including the inspected app schema when available and a visible runtime-datasource-required warning for app-database/BYOC placements.
- Tenant Schemas LCARS health now renders manifest-derived active bundle posture counts for total models, app-private models, shared models, external references, and shared relationship contracts while the backend keeps raw bundle manifests out of the dashboard response.
- Tenant Schemas LCARS object inspection now derives clickable object buttons from placement-aware health, leaves
app_database/BYOC objects disabled as runtime-datasource targets, and disables shared-datasource loading when every active bundle object requires the paid runtime admin datasource. - Tenant schema validation, validation failures, and denied unsupported lifecycle operation requests now write explicit
TenantSchemaAccessAuditrows, and tenant-admin expected 4xx paths no longer roll back those audit/operation records. - Tenant schema lifecycle operation requests now audit unknown or malformed operation types before returning 400, preserving request id and operational reason while avoiding generated operation rows for invalid enum values.
- Tenant admin service tests now prove blank or too-short operational reasons fail before schema inspection and before any audit row is written, matching the LCARS reason gate server-side.
- Generated tenant isolation model HTTP/DataWorkbook routes are now explicitly denied before the generic
/v1/**GET fallback, while their ThorAPI-generated repositories/services remain available for internal orchestration. - Runtime security tests now prove platform
ADMINcallers are forbidden from browsing generated tenant isolation DataWorkbook list, detail, and stats routes. - Tenant Schemas LCARS audit lookup now calls the lowercase audited
/v1/tenant-schemas/{id}/auditsurface with the operational reason instead of any generated tenant DataWorkbook route. - Hosted AWS deployment UX now uses the authenticated
/v1/tenant-schemas/preflightendpoint for audited registry readiness checks instead of generatedTenantSchemaRegistryRTK/DataWorkbook reads. - Custom lowercase
/v1/tenant-schemas/**admin and preflight routes are now explicitly authenticated before the generic anonymous/v1/**GET fallback, with runtime coverage proving anonymous users cannot read tenant schema list, detail, health, audit, object, or preflight endpoints, and authenticated non-admin users cannot use tenant-schema admin list, detail, health, audit, object, validate, or operation routes. - Deployment endpoints now require authenticated callers explicitly at route and controller boundaries, including generated deployment delegate operations, Fargate upgrades, database connectivity checks, generated deployment secrets, and the
/deploymentscompatibility route. - Added a GrayMatter tenant schema context resolver that fails closed unless the authenticated principal maps to an organization with an active/validating generated
TenantSchemaRegistry. - Internal Valkyr Labs agents with
ROLE_VALKYR_AGENTnow resolve GrayMatter memory/retrieval operations to the explicitmaincontrol-plane context, andTenantSchemaExecutionServiceexecutes that context on the current platform connection without schema/catalog switching while customer/org agents still require generated tenant schema context. - The authenticated
/v1/tenant-schemas/preflight/graymatter_statusendpoint now reports the resolved GrayMatter schema context, includingschemaName=mainfor internal Valkyr agents, and the GrayMatter repogm-statusscript surfacestenant_schema_context/tenant_schema_namefor operator checks. - GrayMatter
gm-statusnow treats missing tenant/main schema context asmemory_layer=degraded;gm-writequeues fallback instead of attempting durable/MemoryEntry/write, andgm-retrieval-receiptrefuses receipt create/get/list calls before api-0 whentenant_schema_contextis not ready. - GrayMatter memory controllers, generated MemoryEntry delegate overrides, memory runtime actions, retrieval receipts, and semantic index search now require or apply the resolved tenant schema context.
- Semantic index writes now stamp
tenantScopewith the resolvedorg_<uuid>schema, summary/vector semantic retrieval filters to that tenant scope, and retrieval receipts persist the schema name astenantId. - Added
TenantSchemaExecutionServiceto run tenant data-plane repository work under the registry-derived schema/catalog and reset the JDBC connection state infinally. - Added H2-backed cross-schema execution regressions proving identical table names in sibling
org_<uuid>schemas return only the selected tenant's rows, unqualified writes land only in the selected tenant schema even with identical ids, and the connection schema resets after tenant work. - Added direct generated-domain table isolation coverage proving a representative
teethapp table can store the same domain id in sibling organization schemas without either tenant reading the other's row. - MemoryEntry now includes generated
applicationandprojectrelationships with explicit app/project indexes; generatedPOST /MemoryEntrypreserves those relationships and resolves application-scoped memory through the active generatedApplicationDataPlaneBinding. - Custom GrayMatter compatibility endpoints now preserve the same application/project relationship scope:
/v1/memory/writebuilds generatedMemoryEntrypayloads fromapplicationId/application_idandprojectId/project_id, while/v1/memory/queryand/v1/memory/listapply app/project filters before tenant schema execution. - Tenant schema execution now allows only registry-derived organization schemas or server-derived application schemas in the
org_<uuid>_app_<8hex>form, keeping arbitrary schema names rejected. - Application-scoped GrayMatter routing now revalidates
app_schemabindings against the exact server-derivedorg_<uuid>_app_<application-id-prefix>name before returning a tenant context, preventing poisoned binding rows from routing one app's memory into another app schema. - Application-scoped tenant context now carries the active generated
ApplicationDataPlaneBindingid, app data-plane mode, database name, host, region, and managed credential reference when app/project GrayMatter memory resolves beyond the organization schema. - Shared tenant schema execution now rejects
app_databaseandbyoc_databasecontexts instead of silently executing separate app-database work on the platformDataSource; those placements require a runtime-specific data source. - Paid-runtime app-database execution now requires tenant/customer/organization runtime scope,
VALKYRAI_SHARED_DATABASE_ALLOWED=false, matching data-plane mode, database name, database host, and managed credential reference before switching only the bound application database catalog. - Managed
app_databasecontexts now require the server-derivedappdb_<organization_uuid_without_dashes>_<application_id_prefix>database name at binding creation, tenant-context resolution, and JDBC execution; BYOC database names remain customer-specific but still require the exact active runtime binding metadata. - GrayMatter memory usage telemetry now uses bounded indexed
UsageTransactionprojection queries instead of the timeout-prone OR/LOWER usage-ledger query shape, with contract coverage keeping the ThorAPI spec and generated entity memory-ledger indexes in place. - GrayMatter memory reads/writes, semantic index writes/searches, retrieval receipt persistence/reads, sparse keyword retrieval, graph retrieval, MySQL full-text retrieval, and generated-target semantic retrieval now enter the tenant schema execution boundary instead of relying only on owner filters.
- Retrieval receipt reads now reject receipts whose persisted
tenantIddoes not match the resolved tenant schema. - Legacy and compatibility memory search routes now require authenticated GrayMatter roles, read entitlement, tenant schema context, and registry-derived tenant read execution before querying
/MemoryEntry/search,/v1/memory/search, or/v1/memory/semantic-search. - Generated and custom GrayMatter read surfaces now authenticate before the generic
/v1/**GET fallback, including/v1/GrayMatter,/v1/graymatter/**,/v1/graymatter-retrieval-receipts/**,/v1/memory/**, and/v1/MemoryEntry/**. - Removed
/v1/GrayMatterfrom public API cache-header handling so GrayMatter cannot be treated as an anonymous public catalog route. - GrayMatter activation and MCP bundle controllers now carry explicit authenticated GrayMatter role guards, and runtime security tests prove anonymous callers with valid CSRF tokens cannot use GrayMatter action routes such as memory write/query, semantic-index search, retrieval context, retrieval benchmark, activation events, MCP bundles, or retrieval receipt creation.
- GrayMatter control-surface metadata routes now require resolved tenant schema context before returning control, retrieval-tool, semantic-index manifest, object-graph shape, or retrieval-benchmark metadata, preventing schema/planning surfaces from leaking to org-less authenticated users.
- Runtime security tests now also prove anonymous callers with valid CSRF tokens cannot use application generation, deployment, or tenant-schema validation/operation action routes.
- Added GrayMatter-only write regressions proving
/v1/memory/writeresolves tenant schema context before credit entitlement or persistence, and blocks persistence entirely when tenant context is missing. - Application data-plane binding now derives
app_schemanames server-side, requires managed database placement metadata forapp_databaseandbyoc_database, rejects environment-only BYOC placement strings, and promotes/retire bindings when the physical placement changes so each app has one active write plane. - Application data-plane binding now skips generic deployments without tenant schema/registry hints and reuses an unchanged active binding on same-plane redeploys, avoiding duplicate active write planes or false promotion lifecycle rows.
- Application data-plane binding history now uses an explicit app/status query index instead of a coarse app/status unique constraint, allowing multiple retired historical bindings while service logic retires duplicate active/validating/binding rows before reusing or promoting a write plane.
- Runtime data-plane binding now ignores stale inactive duplicate registry rows during schema-name lookup, prefers deployable
ACTIVE/VALIDATINGregistries, and rejects noncanonical registry schema names before writing application/runtime binding rows. - Deployment metadata now records the active binding ids, registry id, application data-plane mode, runtime kind, and database placement evidence after successful tenant data-plane binding.
- AWS Fargate deployment results now normalize tenant runtime metadata from
DeploymentSpec.environmentVariablesbefore binding so the runtime records seeaws-fargate, registry id/status, customer schema, database scope, isolation mode, database host/region, OpenAPI checksum, shared-DB flag, and tenant auth/RBAC mode. - Lightsail deployments now derive managed
app_databaseplacement from the tenant registry and stableApplication.id, rewrite provisioneddb-0JDBC URLs toappdb_<organization_uuid_without_dashes>_<application_id_prefix>, reject mismatched explicit app database names, and stamp non-secret app database placement metadata into deployment results. - Deployment Wizard now keeps a stable generated
Application.idthrough review/submit and displays/sends the server-derived managed app database name, host, and credential reference forapp_databaseregistries. - Deployment validation now rejects customer application runtime specs that target shared ValkyrAI database endpoints/schemas, declare shared/internal/platform data scopes, allow shared databases, or point
org_schemaruntimes at a siblingdb-0schema. - Tenant RBAC replacement now rejects platform/internal roles in hosted customer schemas even when a stale principal already has the role, preventing tenant runtime updates from preserving
ROLE_ADMIN,ROLE_SYSTEM, or internal Valkyr agent privileges. - Tenant RBAC replacement now also proves stale platform roles can be cleaned up by replacing them with tenant-safe roles, so customer-schema admins are blocked from preserving platform authority without being trapped by bad historical state.
- Tenant RBAC now has positive generated-domain coverage proving hosted customer schemas can create roles such as
ROLE_DENTISTand grant generated-object authorities such asTEETH_READ, while platform/internal roles and authorities remain blocked. - Generated customer app scaffolds now emit per-model REST controllers plus a tenant
TenantRbacAuthorizationguard, requiring generated object authorities such asWIDGET_READ,WIDGET_CREATE, orWIDGET_WRITEwhile treatingROLE_ADMIN,ROLE_SYSTEM,ROLE_VALKYR_AGENT, andVALKYR_*authorities as platform-only signals that do not authorize tenant app data. - Generated app scaffold tests now compile the emitted backend sources and invoke the generated tenant RBAC guard, proving object authorities authorize generated app data and platform admin/schema authorities do not; the coverage now includes a dentistry
Teethdomain scaffold withTEETH_READ/ROLE_TEETH_CREATEallowed and mixed platform authority payloads denied. - Tenant bundle lifecycle regressions now prove generated app-domain components such as
Teethare captured in tenant bundle manifests, and tenant admin object reads remain constrained to active bundle allowlists. - Tenant Schemas admin health now carries active bundle application and application data-plane binding ids through to LCARS so admins can see which generated app and write-plane binding controls each manifest allowlist.
- Tenant Schemas admin health now exposes non-secret active data-plane placement details for each active bundle, including write-plane mode/status, schema/database placement, database host/region, and active deployment id; LCARS renders those details from the audited lowercase tenant-schema health route.
- Customer Launchpad now uses the authenticated lowercase
/v1/launchpad/appssurface to project owned generatedApplicationrows and latestTenantRuntimeBindingmetadata into launch-safe dashboard cards without exposing hidden generated tenant-runtime DataWorkbook routes. - Customer Launchpad now projects source-backed app catalog metadata from generated
TenantRuntimeBinding,TenantSchemaRegistry,Deployment, andApplicationDataPlaneBindingrecords, including organization id, registry id, tenant schema/database scope/isolation mode, link type, deployment ownership model, billing profile, data-plane binding/schema/database placement, data-plane mode/status/region, required launch-token claims, and health URL only when deployment metadata registers one or ahealthCheckPathcan be resolved from the runtime/deployment origin. - Customer Launchpad launch clicks now call
/v1/launchpad/apps/{applicationId}/launchto receive a five-minute signedtokenType=launchpadJWT scoped to the authenticated principal, generated application, organization, tenant schema registry/name, tenant database scope/isolation mode, application data-plane binding/placement, runtime binding, and runtime origin before opening the tokenized runtime URL. Bound runtimes fail closed when tenant registry/data-plane scope is incomplete, and launch tokens do not include managed credential references. - Runtime isolation now reports application data-plane mode, binding ids, tenant registry id, application database placement, tenant auth/RBAC mode, and
paidRuntimeIsolationReadythrough/v1/runtime/isolation. - Runtime isolation readiness now follows the app-database execution guard, requires live JDBC catalog/schema alignment with the configured tenant or app database binding, and exposes only non-secret booleans for managed credential-reference and connection-alignment state.
- Runtime isolation now includes a server-configured database privilege probe that prevents paid runtimes from reporting ready when their datasource can read forbidden platform or sibling tables; regression coverage proves least-privilege app users pass, overprivileged users fail, and unsafe probe table identifiers are rejected.
- Customer Instance Ops now renders the runtime data-plane mode, shared database guardrail, application database placement, tenant runtime RBAC state, live tenant/app connection alignment, and database privilege probe status from the isolation endpoint, including an explicit warning when forbidden platform or sibling tables are readable.
- Tenant Schemas and Customer Instance Ops now visibly warn when a managed
app_databaseplacement reports a stale/friendly database name instead of the server-derivedappdb_<organization_uuid_without_dashes>_<application_id_prefix>contract. - Added ThorAPI Component Library documentation for
CustomerInstanceOpsDashboardand refreshedTenantSchemaAdminPaneldocumentation for server-side reason gating and write-plane placement evidence. - GrayMatter semantic recall now accepts app/project scope, resolves the tenant read context through the active application data-plane binding, and filters candidates to the requested application/project so app-private memory follows the isolated data plane.
- Retrieval receipt providers now honor app/project scope from generated request filters across dense, sparse, graph, summary, generated-target, and full-text lanes, and app-scoped receipts are stamped with the application schema resolved from the active data-plane binding.
- Sparse and graph retrieval now push app/project scope into the DB-backed
MemoryEntrySearchServicecriteria query itself, using the generatedMemoryEntryapplication/project relationships and keeping post-query candidate filtering as defense in depth;MemoryEntrySearchServiceITproves the Criteria query excludes sibling project rows at the database search layer. - Added tenant retrieval receipt indexes for
tenantId,createdAtandtenantId,retrievalStatus,createdAt, plus deployment polling/reconciliation indexes for status/deployed time, status/completed time, spec/status, deployed-by/status, and cloud resource id. - Added an OpenAPI contract test that prevents tenant schemas, hot runtime/retrieval/polling indexes, bounded large-text manifest fields, and regenerated hot-path repository methods from regressing.
- ThorAPI ACL permission evaluation now centralizes SID normalization, anonymous/admin checks, owner-default masks, permission implication, and target-id/class resolution in one support class shared by
ValkyrACLandValkyrAIPermissionEvaluator; Spring's publicAcl.isGranted(...)andPermissionEvaluator.hasPermission(...)entry points remain distinct, but the policy logic no longer forks. ValkyrAIPermissionEvaluatorno longer maintains a privateSidRetrievalStrategypath; bothhasPermission(...)and concrete ACLisGranted(...)requests now derive principal/authority SIDs throughValkyrAclSecuritySupport.authenticationSids(...).- Added a tenant schema-authority contract test that scans SQL migration resource folders and fails if tenant isolation tables are introduced through migration scripts instead of ThorAPI/OpenAPI plus Hibernate DDL.
- Added tenant hot-path query-shape regressions proving schema-name runtime binding and registry-scoped audit lookup use generated key/relationship queries and avoid repository-wide scans.
- Added an executable tenant isolation production-release gate requiring fresh staging p95/load evidence for registry lookup, GrayMatter retrieval, audit writes, deployment status polling, runtime binding lookup, and application data-plane promotion validation before non-dry-run production deployment API calls.
- Deployment launcher contract tests now prove production deploys fail closed when tenant release evidence is missing or incomplete.
- Deployment API validation now rejects production tenant runtime specs without fresh inline
VALKYRAI_TENANT_ISOLATION_RELEASE_EVIDENCE_JSON/VALKYRAI_TENANT_RELEASE_EVIDENCE_JSONevidence for every required tenant release-gate result. - Lightsail staging deployments remain launchable without production release evidence when
VALKYRAI_DEPLOYMENT_STAGEis explicitly non-production, even if the staged runtime usesSPRING_PROFILES_ACTIVE=production. - Fargate promotion now requires tenant release evidence before cloud provisioning, and the dashboard sends that evidence to the authenticated upgrade endpoint instead of allowing an ungated staging-to-production path.
- The dashboard now validates Fargate tenant release evidence before submit, rejecting missing result arrays, stale timestamps, missing required release-gate measurements, bad samples, and p95 values above threshold before the upgrade API is called.
- Added focused API and dashboard regressions proving production tenant deploys, Fargate promotion, and the dashboard upgrade flow honor the release evidence gate.
- Added deployment security contract coverage to prevent anonymous access from returning through the generic
/v1GET fallback. - Added ThorAPI app-generation security contract coverage proving every
/v1/thorapicontroller route requiresADMINorDEVELOPER,/v1/thorapi/**is protected before the generic anonymous/v1/**GET fallback, and anonymous job-status reads are rejected at runtime. - Added controller regressions for semantic search and keyword search aliases to verify principal denial, entitlement checks, tenant schema resolution, and tenant-scoped read execution.
- Added data-plane binding/runtime regressions for generic deployment skip behavior, unchanged redeploy binding reuse, derived app schema placement, app database credential requirements, BYOC metadata gating, same-registry promotion, Fargate tenant metadata normalization, shared ValkyrAI DB rejection, runtime isolation reporting, tenant-domain RBAC authorization, audited tenant-admin dashboard rendering, and deployment metadata propagation.
- Added
-
Fix: protected generated DataWorkbook/ThorAPI updates from sparse-payload data loss.
- Generated PUT delegates now merge non-null incoming fields into the existing row before
saveOrUpdatewhen the id already exists, preventing omitted DataWorkbook fields from being persisted asnull. - PUT still inserts when the id does not exist, preserving create-on-PUT behavior while making existing-row updates safe for grid-style sparse edits.
- Added generated delegate regression coverage proving an
IntegrationAccountDataWorkbook-style sparse PUT updates one visible field while preserving omitted scalar, SecureField, and encrypted identifier values.
- Generated PUT delegates now merge non-null incoming fields into the existing row before
-
Fix: consolidated ACL permission evaluation into the ThorAPI ACL decision path.
ValkyrAIPermissionEvaluatornow delegates object ACL decisions and anonymous public-read fallback throughAcl.isGrantedinstead of scanning raw ACL entries itself.ValkyrACL.hasPermission(...)is now only a compatibility/runtime entrypoint; it normalizes inputs and routes through the same shared runtime permission decision helper used by ACL evaluation.AclService.hasPermission(...)helpers now delegate object decisions throughreadAclById(...).isGranted(...)instead of scanning generatedAclEntryrows directly.ValkyrPermissionGrantingStrategynow delegates to the ACL implementation instead of maintaining a second ACE-scanning algorithm.WorkflowMetricsAspectnow gates workflow-specific WebSocket metric emission through the centralValkyrAclService.hasPermission(..., READ)check on the generatedWorkflowobject identity instead of an allow-all placeholder; malformed workflow ids and missing ACL service wiring fail closed while explicit workflow operator roles stay intentional.- Added an app boundary regression proving ValkyrAI cannot reintroduce app-local
ValkyrACL, permission-granting strategy, or ACL authorization strategy forks. - Added boundary regressions proving
AclServiceandValkyrPermissionGrantingStrategycannot reintroduce duplicate ACL decision loops. - Added
WorkflowMetricsAspectTestcoverage for ACL grant, ACL deny, operator role bypass, invalid workflow id denial, and missing ACL service denial. - Updated ACL tests so deny/grant behavior is modeled through the shared ACL decision path rather than duplicate evaluator-side ACE scans.
-
Fix: restored generated DataWorkbook field visibility for hidden/secure/audit columns.
- Generated tables now build the column universe from the full ThorAPI model field list, so
IntegrationAccountexposes fields such asapiKey,accountId,createdDate,lastAccessedDate, andlastModifiedDatewhen hidden columns are toggled on. - RBGrid now renders a hidden/generated-column checkbox to the left of select-all, keeping sensitive and generated fields hidden by default while making them inspectable on demand.
- RBGrid dark-mode checkbox styling is larger and brighter, with a cyan border/focus affordance so row, boolean, and hidden-column checkboxes remain visible against the dark grid.
- Added focused frontend regression coverage for generated field visibility, hidden-column toggling, and dark-mode checkbox styling.
- Generated tables now build the column universe from the full ThorAPI model field list, so
-
Fix: hardened hosted runtime tenant schema validation for Lightsail deployments.
- Deployment launch now requires provisioned customer schemas to use the
org_<32 lowercase hex organization UUID>contract used by ThorAPI tenant provisioning. - Dashboard deployment validation now rejects malformed provisioned schemas before database testing or launch.
- Updated the multi-tenant hosting PRD naming contract from the older
cust_<orgid8>draft wording to the currentorg_<organization_uuid_without_dashes>pattern.
- Deployment launch now requires provisioned customer schemas to use the
2026-05-27
-
Content: added a GrayMatter agent-memory quickstart for Stainless-transition demos.
- Published the install/auth, write, query, schema-context, safety guardrail, and 20-minute demo path.
- Linked the quickstart from the Stainless Alternative page alongside SDK coverage and freshness guidance.
- Added coverage so the public comparison page keeps both customer-success links visible.
-
Docs: added Stainless-transition pricing transparency support copy.
- Expanded the Stainless Transition FAQ with buyer-facing plan-boundary, credit, usage-limit, and overage guardrails.
- Added a demo-call pricing-objection response that translates credits into memory reads, writes, reindexing, and generation work without competitor fearmongering.
-
Feature: added strategy-backed Projects across the Valhalla suite.
ProjectandProjectObjectLinkare now ThorAPI-generated schema objects with generated REST services, Java models, repositories, and TypeScript RTK Query clients.- LCARS now exposes Business > Projects with a New Project action, stage tracking, generated object counts, and deterministic stage advancement.
- GrayMatter control surfaces now publish Project and ProjectObjectLink as RBAC-visible object-graph primitives while keeping SwarmOps coordination-only.
- ValorIDE's GrayMatter client now discovers Project capabilities and can create/update Project records with
sourceSurface: "valoride". - Added a ValkyrAI
ProjectExecModule for workflow CRUD, stage advancement, and linking goals, tasks, workflows, applications, deployments, MCP services, memory entries, and object links.
-
Fix: restored the Docusaurus mobile docs sidebar to the built-in hamburger behavior.
- Removed the custom bottom Docs drawer, custom mobile logo toggle, and duplicate custom navbar menu item that could render a blank popout.
- Kept the native Docusaurus sidebar and navbar sidebar flow as the single mobile navigation path.
-
Feature: added Valhalla customer experience mode for the white-paper funnel and dashboard.
- The white-paper funnel now maps customer intent to a dedicated
persona-modepreference with typedpersonaModeandpersonaComplexityfields while preserving existingCustomer.rolevalues. - Added a dashboard Mode pill next to credits so users can switch between CxO, solopreneur, engineer, student, reseller, publisher, workflow designer, and GrayMatter lenses.
- User Preferences now exposes the same Experience Mode control and a complexity selector for testing guided, balanced, and expert presentations.
- LCARS dashboard navigation now reorders already-authorized items by persona focus without changing RBAC role gates.
- Account plan details now call out TrustFabric Compliance as Enterprise-included or Team add-on eligible.
- The white-paper funnel now maps customer intent to a dedicated
2026-05-21
-
Fix: restored admin ACL repair authority for deny-all permission mistakes.
- Admin domain-object permission checks now bypass explicit deny ACLs before object ACL lookup.
- ACL mutation strategy now recognizes the real admin authorities only; tests use
ROLE_ADMIN. - ACL revoke now resolves entries by the protected object's UUID and removes matching grant/deny ACEs so admin repair actions can clear stale
EVERYONEdenies. - PermissionDialog no longer exposes the
Deny EVERYONE alltesting shortcut and adds an admin repair action to clear explicit deny entries.
-
Enhancement: modernized SageChat/Valor prompt enhancement for workflow and SWARM automation.
- Backend
LLMControllernow injects the command guide even when a providerinitialPromptis blank. CommandProcessor.getCommandGuide()now documents browser/UI, generated REST, workflow canvas, and SWARM command surfaces.- SageChat's frontend operator prompt moved into a testable
valorCommandPrompt.tsmodule and removes secret-like credential examples.
- Backend
-
Fix: stopped SageChat provider payloads from being written to runtime logs.
LLMControllernow logs OpenAI/pass-through/Ollama requests, responses, and provider errors as metadata only.- Generated logging configuration no longer forces all
com.valkyrlabslogs to DEBUG;LLMControllerdefaults to INFO with an explicitVALKYRAI_LLM_CONTROLLER_LOG_LEVELoverride. - Added regressions that fail if prompt text, chat text, serialized
messages, or provider error bodies leak through DEBUG/TRACE logs.
-
Fix: hardened ThorAPI frontend client generation for Vite dev startup.
yarn devnow regenerates the ThorAPI TypeScript client before starting Vite so ignoredsrc/thorapioutput is present.generate-thorapi-client.mjssnapshots the previous generated client and restores it if ThorAPI generation aborts, preventing failed generation from deleting the last usable service files.- Added a Node regression that simulates a ThorAPI failure and verifies the previous
DownloadAccessServiceoutput survives.
-
Fix: hardened SAGEChat CSRF retry handling for production subdomain cookies.
authFetchnow retries unsafe requests with the fresh token returned by/auth/csrfinstead of falling back to a stale readableXSRF-TOKENcookie.- Clearing browser auth storage also clears remembered CSRF state so switch-account and fresh-login flows cannot reuse an old token.
- Added focused Jest regressions for SAGEChat
/llm-details/{id}/chatretry behavior and CSRF token precedence.
2026-05-20
-
Fix: hardened fresh-localhost startup and first-write ACL behavior.
- Wired memory entitlement construction through Spring's configured constructor path.
- Restored a primary
applicationTaskExecutorso async MVC dependencies resolve when channel executors are also present. - Removed the duplicate
/v1/metrics/api/livetelemetry alias controller mapping. - Retried ACL ownership grants when concurrent
acl_classcreation hits the H2 unique constraint for models such asUserPreference. - Aligned stale controller/API test fixtures with generated
PaymentTransaction.amountCentsand GrayMatter activation constructor signatures.
-
Fix: made
credit_pricing_matrixthe editable runtime pricing source for credit economics.- Credit purchases now price cents through the active matrix unit key instead of treating cents as credits.
- Memory read/write, generator, launch, swarm, and LLM rates resolve through matrix rows with existing property defaults as bootstrap fallbacks.
- Buy Credits, cart checkout metadata, and dashboard examples now display matrix-derived credit rates.
-
Fix: made configured bootstrap super-admin password rotation consume the handoff file.
- Existing
superprincipals now acceptvalkyr.bootstrap.super.password/VALKYR_BOOTSTRAP_ADMIN_PASSWORDas authoritative on startup. - Stale
config/bootstrap/super-admin.oncecredentials are rewritten as a consumed marker and renamed out of the active bootstrap path.
- Existing
2026-05-19
- Fix: hardened OpenAPI wizard
sourceDetailspersistence path against legacy 255-char column regressions.- Added JPA integration coverage that saves and reloads an
OasOpenAPISpecwith a 560-charactersourceDetailspayload. - Locks in the first-run import path expectation that rich wizard metadata persists cleanly instead of triggering SQL overflow failures.
- Added JPA integration coverage that saves and reloads an
2026-05-06
- Fix: restore Stripe credit purchase POSTs on Loki and production-style deployments.
- Kept authenticated checkout endpoints and the Stripe webhook out of the broad CSRF gate so hosted Checkout can start from cookie-authenticated users.
- Added a CSRF contract test that allows only explicit checkout exemptions and rejects broad
/v1/**or/v1/checkout/**bypasses.
- Fix: Loki OAuth callback stability for GitHub and Google sign-in.
- Hardened the manual OAuth success handler against lazy
Principalrole, authority, and organization associations after provider callback completion. - Preserved least-privilege
EVERYONEfallback claims so a lazy association cannot turn a successful provider handshake into a Whitelabel 500. - Added focused regression coverage for the callback success path.
- Hardened the manual OAuth success handler against lazy
- Build: restored deterministic Java 17 class output before AspectJ weaving.
- Added a
vaix/Maven compile bridge that replaces partial compiler classfiles with raw Java 17javacoutput before the AspectJ staging guard runs. - Kept the hard unresolved-compilation classfile guard in place so bad bytecode fails before a Loki or production package can be created.
- Excluded generated
openapi.yamlfrom runtime resources to keep the executable jar from absorbing non-runtime spec bloat. - Tightened Maven resource/jar packaging so only
openapi/api-out.yamlis copied into classes and the executable jar.
- Added a
- Security: removed a MailerSend-looking token comment from the email ExecModule source; MailerSend credentials now remain deployment-only configuration.
2026-05-04
- Fix: make the marketing-site 3D background decorative-only on content routes.
- Added a WebGL capability guard so the
react-three-fiberbackground only mounts when the browser can initialize WebGL. - Wrapped the background canvas in a non-fatal
ErrorBoundaryfallback so renderer failures no longer crash the page route. - Added focused Jest coverage for the decorative background support helper.
- Added a WebGL capability guard so the
2026-05-03
- Feature: GrayMatter SWARM Protocol v0.1 for issue #2297.
- Published a canonical GrayMatter-backed event contract for Codex, OpenClaw, Valor, Valklaw, ValorIDE, Claude adapters, humans, workflows, CRM, CMS, deployments, GitHub, and audit state.
- Added a machine-readable JSON schema at
/schemas/graymatter-swarm-v0.1.schema.json. - Wired the LCARS SwarmOps dashboard to parse v0.1 WebSocket events, merge live SwarmOps presence with durable Agent Directory records, and flag SwarmOps-only agents as
Needs Agent. - Hardened Agent creation against the billing quota aspect fallback constructor path so Codex/OpenClaw/Claude/native agents can create durable Agent records before broadcasting presence.
- Linked ValkyrAI, ValorIDE, architecture, dashboard, and mothership notes back to the canonical spec while preserving the current STOMP/WebSocket compatibility profile.
- Fix: launch-page documentation links for the GrayMatter-first GTM path.
- Encoded the Workflow Engine docs slug used by GrayMatter, Ultimate Homepage, and Support surfaces so public Docusaurus links open cleanly.
- Tightened GrayMatter landing tests around the sales narrative, CTAs, and journey docs target.
- Feature: GrayMatter TrustFabric launch kit for issue #574.
- Added a buyer-facing launch packet with hero copy, proof strip, one-pager narrative, FAQ, demo script, and technical proof links.
- Linked the launch kit from the GrayMatter Docs Fast Lane so demos and sales calls have one canonical proof asset.
- Added GrayMatter landing coverage for the launch-kit documentation CTA.
- CI: scoped App Factory release gates to App Factory lane branches only.
- Non-App-Factory PRs to
rc-*now skip the App Factory checklist instead of failing on unrelated branch names. - Real App Factory lanes still enforce the issue-id branch policy and release checklist.
- Non-App-Factory PRs to
2026-03-24
- Tests: re-enabled
SystemUserServiceTestunder fixture-disabled test track (#997).- Removed class-level disable guard and aligned authority assertion with current system-user contract (
ROLE_ADMINpresent for system context). - Added deterministic fixture checklist doc:
deterministic-fixture-checklist.mdx.
- Removed class-level disable guard and aligned authority assertion with current system-user contract (
2026-03-23
- Content ops: ScribeBot throughput batch (project briefs #90/#92 + memory workstream #78/#86/#87/#88/#89)
- Added a blog draft for ThorAPI, ContentData, and MemoryEntry.
- Added social thread draft:
content/social/2026-03-23-agent-memory-thread.txt - Added docs runbook:
content-pipeline-scribebot.mdx - Focus: contract-first memory positioning with ThorAPI model/service grounding.
2026-03-06
- Feature: Memory launch GTM assets packet (issue #631)
- Added
memory-launch-assets.mdxwith launch-page hero/value copy and launch pricing draft. - Added retention/deletion/training-policy FAQ draft for external launch readiness.
- Added public launch announcement draft and explicit traceability to epic #624.
- Added
2025-10-26
- Feature: Integration Account Console
- Added
/integration-accountsLCARS dashboard that aggregates hero metrics, Thor-generatedIntegrationAccountTable, and template-driven creation w/ ExecModule linking. - Auto-computed templates for every Thor ExecModule metadata entry plus curated one-click providers (OpenAI, Gemini, Gmail, Stripe, Twilio, Slack, HubSpot, Salesforce, SecureKey).
- Inline linking updates ExecModules through
updateExecModuleMutation, closing credential gaps for Workflow Studio, billing flows, and GitHub automations. - Surfaced SecureKey-backed usage stats and category filters to mirror workflow coverage dashboards.
- Added
- Tests & Docs
- Added
IntegrationAccountConsole.test.tsxwith RTL coverage for hero render, category filtering, and modal orchestration. - Authored
Workflow Engine/integration-account-console.mdxdetailing setup, security posture, and related workflow artifacts.
- Added
2025-09-06
- Added local Ehcache 3 (JCache) configuration and Spring Cache wiring for high‑value hot paths.
- Introduced
sidByUsernamecache forAclSidlookups viaAclSidLookupService. - Added micro‑TTL
permissionDecisionscache forAclService.hasPermission(...)decisions. - Reduced
KMSSecureFieldAspectlogging to WARN by default in production settings. - Included unit test for
AclSidLookupServicecaching behavior.
2025-09-07
- Fix: LLM Chat SYSTEM principal crash
- Updated
thorapiACL to handle non-UUID principals safely. ValkyrACL.resolveAuthenticatedPrincipalIdnow treatsSYSTEM/anonymousUsercase-insensitively and only parses UUID-looking strings.- Prevents
Invalid UUID string: SYSTEMduring LLM chat secure-field reads when running as SYSTEM.
- Updated
- Hardening: SystemSidInitializer idempotency
- Both
thorapiandvalkyraiSystemSidInitializerset deterministic UUIDs and check by ID and name before saving. - Prevents duplicate
SYSTEM/ADMIN/EVERYONE/AUTHENTICATEDSIDs if both initializers are active.
- Both
2025-10-21
-
Feature: One-click digital product publishing pipeline
- Added
DigitalProductWorkflowProvisionerto seed a default workflow chainingDigitalFulfillmentModule, newDigitalDownloadNotificationModule, andMailtrapSendModulefor automated delivery email. DigitalFulfillmentService.prepareDigitalProductnow auto-attaches the workflow, marks products available immediately, and returns automation metadata for the UI.- Introduced
refreshDownloadLinkhelper used by notification workflows to rotate tokens without creating duplicate access rows. - Created
DigitalDownloadNotificationModuleExecModule to compose email payloads and forward download access IDs to downstream mail modules.
- Added
-
Feature: Digital product quick publish UX
- Added
DigitalProductQuickCreatePanelto the File Record console for single-click promotion of scanned uploads to the product catalog. - Added RTK Query
DigitalProductService+ UI tests; integrates automation summary in success state so operators understand the workflow chain.
- Added
-
Tests
- New unit suites for
DigitalProductWorkflowProvisionerandDigitalDownloadNotificationModuleplus RTL coverage for the quick create panel.
- New unit suites for
2025-09-08
-
Fix: Replace javax.servlet with jakarta.servlet in OpenAPI templates
- Updated
apiDelegate.mustacheto usejakarta.servlet.http.HttpServletRequest. - Updated
modelTest.mustacheimports tojakarta.servlet.http.HttpServletRequest. - Regenerated API code for
valkyrai; compile errors referencingjavax.servlet.httpresolved. - Added defensive null checks in
ApiUtil.setExampleResponseand now passHttpServletResponseviaServletRequestAttributesto avoid NPE during example response rendering.
- Updated
-
Feature: Lightweight per-entity stats endpoint and secured repository convenience queries
- Added derived Spring Data methods to every
*PageableRepository:count(),countByOwnerId(UUID ownerId),countByCreatedDateAfter(OffsetDateTime),countByLastModifiedDateAfter(OffsetDateTime),findTopByOrderByCreatedDateDesc()
- Added
GET /v1/<Entity>/statsendpoint per API interface returning JSON stats:count,ownedCount,createdLast24h,modifiedLast24h,latestCreatedAt
- Implemented in delegates with
@PreAuthorize("hasRole('EVERYONE') or hasRole('ADMIN')")and user-scoped cache keys.
- Added derived Spring Data methods to every
-
Change: Relationship fetch based on requiredness
- In generated JPA models, associations now use:
fetch = EAGERwhen the property isrequiredfetch = LAZYwhen the property is optional
- For
@ManyToOne,optionaland@JoinColumn(nullable=...)mirrorrequired. - Keeps payloads lean while eagerly resolving mandatory links.
- In generated JPA models, associations now use:
-
Fix: Stable JSON for Hibernate lazy proxies
- Added Jackson Hibernate datatype support for lazy-loaded entity serialization.
- Disabled forced lazy loading; serialize identifiers for uninitialized proxies.
- Added Jackson mixins to ignore
hibernateLazyInitializer/handleron proxies. - Resolves ByteBuddy proxy serialization failures on
Application.openAPISpec.
-
Feature: Pimped ExecModules (Email + Stripe)
- Added comprehensive Javadoc for
MailtrapSendModule,EmailModule, andStripeCheckoutModule(inputs, outputs, env, error codes). - New docs page: Stripe module covering setup and usage.
- UI: Palette icons now include Stripe via
react-icons/si (SiStripe). - UI: Palette fetch hardened to accept API responses as either
["Class"]or[{ className: "Class" }]. - UI: Module picker shows friendly names for Stripe and Email modules when
nameis unset. - Tests: Added
StripeCheckoutModuleTestcovering input validation and error branches.
- Added comprehensive Javadoc for