Skip to main content

2026-07-01

  • Docs: refreshed the Stainless-transition customer-success support pack.
    • Added public-reply, inbound-DM, demo-call, existing-SDK, and Anthropic-safe response drafts.
    • Tightened fit/no-fit FAQ language for broad SDK/docs/MCP parity versus Valkyr spec-to-secure-running-stack work.
    • Expanded GrayMatter demo language around schema-aware durable memory tied to app objects, business objects, decisions, tasks, and retrieval receipts.

2026-06-30

  • Fix: enabled repo-root Husky installation for the web workspace.
    • Updated the frontend prepare script to install hooks into the monorepo root .husky directory instead of failing from the nested web workspace.
    • Verified Husky now creates the root helper files and sets local Git core.hooksPath to .husky/_, allowing the existing pre-commit and pre-push hooks to execute.

2026-06-28

  • Fix: GrayMatter/Valkyr ACL replay agents can now create the internal ROLE_STAFF and ROLE_RESELLER AclSid authority rows needed for ContentData internal visibility grants.

    • Kept arbitrary authority SID creation denied unless the caller has admin, trusted system auth, or explicit AclSid type permission.
    • Added focused policy coverage for allowed internal visibility authority replay and denied admin authority replay.
  • Security: Protected team project snapshots

    • Restricted /v1/team-projects/** to admin/developer users before the broad generated GET rule.
    • Added method-level guards on TeamOrchestratorController so internal worker metadata, task payloads, and git activity are not exposed anonymously.
    • Added regression coverage for route ordering, method-level authorization, and centralized CORS behavior.

2026-06-25

  • Fix: GrayMatter activation bridge responses now include a non-secret lifecycle audit trail.

    • Bridge creation, signup, credit, payment, memory-query, and failure events are visible on bridge, event, and retry responses so ValorIDE/OpenClaw can explain activation recovery state without logging signatures or tokens.
  • Feature: Stainless transition CRM routing now carries the latest signal sweep into sourced lead, content, and positioning records.

    • Seeded DealerMax, CoinRithm, CUGA, Sterling, and Knowledge Stack with source URLs, confidence levels, and guarded Stainless/OpenAPI/MCP evidence labels.
    • Added content brief and proof-block data that keeps the /stainless-alternative narrative centered on GrayMatter memory, RBAC, SecureField, TrustFabric, and isolated instances.
  • Fix: ThorAPI spec ingestion now requires an explicit host allowlist before trusted-mode external HTTP(S) $ref targets can pass validation.

    • Untrusted specs still fail closed for remote and local file $ref targets before enhancement/codegen.
    • The rules validator emits THORAPI_SPEC_REF_POLICY audit log decisions for blocked and allowed external references.
  • Fix: exposed explicit Stripe Checkout mode selection for authenticated checkout sessions.

    • /v1/checkout/create-session now accepts mode: "payment" | "subscription" for ad-hoc offer checkout payloads.
    • Invalid checkout modes return invalid_checkout_mode before touching Stripe.
    • Added focused controller and Stripe module regressions for recurring explicit-amount checkout, including GrayMatter Early Access-style subscription payloads.
  • Feature: isolated one-click instance readiness now has a deterministic smoke spine.

    • Added scripts/isolated-instance-smoke.sh to report deployment launcher, template, tenant-release-gate, dry-run spec, live deployment, status polling, GrayMatter, and TrustFabric stages as pass, fail, skipped, or manual_required.
    • Added scripts/test-isolated-instance-smoke.sh so the local smoke contract proves incomplete live stages are labeled honestly.
    • Documented the smoke command in deploy/README.md.
  • Fix: generated client freshness now fails when canonical OpenAPI/template inputs drift from scripts/codegen-inputs.lock.

    • scripts/codegen-inputs.sh validate now compares the recomputed manifest to the committed lock instead of only checking readability.
    • Added a focused shell contract test for both the clean-lock and stale-lock paths.
    • Documented the version bump and lock refresh workflow for intentional generator input changes.

2026-06-19

  • Fix: OAuth signups now resume the white-paper signup funnel instead of dropping new GitHub/Google users into a separate onboarding route.
    • The OAuth callback hydrates the authenticated principal through /auth/me, stores only non-secret signup context, and routes new users to /funnel/white-paper?signupStep=organization.
    • The enhanced white-paper funnel starts authenticated OAuth users at organization setup with available email, name, avatar, provider, and organization hints already primed.
    • Cypress coverage now includes sensible signup edge cases plus mocked GitHub and Google OAuth callback resumes.

2026-06-12

  • Fix: runtime starvation diagnostics now classify severe Hikari housekeeper stalls as P0 operational events when a stall exceeds the critical threshold or repeats inside the configured window.
    • Diagnostic payloads now include severity, critical threshold, repeat window, and repeat-window evidence so operators can separate one-off warnings from launch-blocking runtime stalls.

2026-06-11

  • Feature: Rating feedback can now flow into SkillOpt learning.
    • Generated Rating creation now uses a thin primary delegate override that still saves through the generated RatingService, then creates a SkillOpt outcome when rating metadata includes a route receipt ref.
    • Rating.metadata can carry routeReceiptRef/skillOptRouteReceiptRef, outcome, traceId, and actualCreditCost; missing outcome is inferred from the 0-100 rating score.
    • Plain ratings without SkillOpt metadata remain ordinary generated Rating records, while linked ratings create SkillSignal through the existing SkillOpt outcome path and procedure-confidence updates.
  • Fix: GrayMatter ContextPage hydration now writes a first-class hydration receipt event.
    • Hydrate responses include a generated ContextTraversalEvent with HYDRATE_SOURCE, ctxhyd-* receipt refs, pointer refs, trace continuity, and ACL-recheck reason metadata.
    • Hydrated ContextPages now carry the hydration receipt ref in policy and recommend recompress_after_hydration, making the compile -> hydrate -> recompress lifecycle auditable.
    • Receipt metadata stores pointer refs and counts only; raw hydrated memory/source text remains on the ACL-checked ContextPage item and is not copied into receipt metadata.
  • Fix: GrayMatter ContextPage hydration now supports internal Valkyr Labs agents running in the main control-plane schema.
    • ContextPage read/hydration ACL rechecks still require ownership or platform admin for ordinary callers.
    • Authenticated callers with ROLE_VALKYR_AGENT can now hydrate main-schema ContextPage memory pointers owned by another platform principal, matching the tenant schema resolver's internal-agent main context behavior.
    • Added focused regressions proving ordinary users cannot hydrate another owner's memory pointer while Valkyr platform agents can.
  • Fix: ThorAPI tenant app generation now preserves billable partial receipts when post-generation evidence persistence fails.
    • If ThorAPI reaches the billable completion milestone and the credit debit receipt is settled, later artifact/build/runtime-binding persistence failures now write a PARTIAL billable GenerationReceipt with reservation and debit receipt refs instead of replacing the chain with a non-billable failure.
    • Pre-billable failures still release reservations and remain non-billable.
    • Added regression coverage for the debit-settled, evidence-persistence-failed path.
  • Fix: GrayMatter and SkillOpt ops endpoints now authenticate before the generic generated GET /v1/** fallback.
    • Added explicit coverage for /v1/graymatter_ops/** and /v1/skillopt_ops/**, including the snake_case ContextPage endpoints generated by ThorAPI.
    • Extended the GrayMatter security contract so those operational routes cannot drift into public cache/read behavior.
  • Fix: SkillOpt now fails closed for sensitive routes when human approval is required but unavailable.
    • High-risk, critical-risk, or restricted-privacy tasks now stop with STOP_POLICY_DENIED and approval_unavailable instead of falling through to hydration, procedure, workflow, or model execution.
    • When an approval route is available, SkillOpt returns ASK_HUMAN_APPROVAL before execution.
    • Added focused route regressions for both approval-unavailable and approval-available paths.
  • Fix: GrayMatter ContextPage traversal now updates the ContextPage lifecycle state.
    • Traversal events now mark the page TRAVERSED, carry a traversal receipt ref in policy, update the compact summary with the scope transition, and refresh token estimate/recommended action.
    • Extended ContextPage runtime coverage so conversation/task movement is visible on both the traversal receipt and the working ContextPage.

2026-06-10

  • Feature: Stripe revenue audit now has generated customer, checkout, and subscription bookkeeping.
    • Added ThorAPI-generated StripeCustomerLink, StripeCheckoutSession, and StripeSubscription models plus Java/TypeScript services.
    • Stripe checkout webhook processing now writes generated customer-link and checkout-session audit rows while keeping PaymentTransaction/CreditsService as the internal credit source of truth.
    • Stripe subscription lifecycle webhooks now write generated subscription/customer-link audit rows before applying entitlement changes.
    • Stripe recurring invoice fulfillment now links renewal credits back to generated StripeSubscription rows with invoice, payment intent, billing month, idempotency key, and non-secret renewal receipt metadata.
  • Feature: revenue-platform billable holds and debit receipts now carry explicit generated tenant/account/organization scope.
    • CreditReservation and CreditDebitReceipt gained ThorAPI-generated tenantId, accountId, and nullable organizationId fields plus query indexes.
    • Credit reservation debits inherit scope from the reservation, and ThorAPI tenant app generation stamps tenant/account scope while deriving organization scope from generated application data-plane binding evidence when available.
    • Focused revenue/app-generation tests now assert explicit scope on reservation and debit records.
  • Feature: tenant app generation now records first-class generated spec and artifact evidence.
    • Added ThorAPI-generated AppSpecDraft, AppObjectModel, ThorApiSpecRevision, and GeneratedArtifact models plus TypeScript clients.
    • App generation requests/runs now link spec draft, object model, ThorAPI spec revision, package ZIP artifact, and manifest artifact refs into generated runs, artifact sets, and receipts.

2026-06-06

  • Fix: account privacy routes under /v1/compliance/** plus /v1/auth/login-history now require authentication before the generic generated GET /v1/** fallback can expose data exports, privacy summaries, deletion actions, or masked login audit history.
  • Fix: operational table and summary statistics under /v1/statistics/tables and /v1/statistics/summary now require authentication before the generic generated GET /v1/** fallback, and the ObjectStatsPanel sends those dashboard requests with included credentials while marketing-safe public statistics such as /v1/statistics/general remain available.
  • Fix: SWARM agent chat history under /v1/agent-chat/** now requires authentication before the generic generated GET /v1/** fallback can match agent conversation metadata or encrypted chat history.
  • Fix: creator monetization reads for service lists, earnings, and revenue previews now require authentication before the generic generated GET /v1/** fallback, while public marketplace/service detail reads remain public.
  • Fix: generated identity and billing DataWorkbook reads for Principal, Customer, Organization, IntegrationAccount, AccountBalance, UsageTransaction, and PaymentTransaction now require authentication before the generic generated GET /v1/** fallback can match list, stats, or detail routes.
  • Fix: SageChat follow-up question cards now strip nested <question> protocol tags and render JSON-array <options> payloads as separate selectable option rows instead of one raw array blob.
    • Follow-up question rendering now also tolerates encoded command entities and attribute-bearing question/options tags, keeping the question text inside the question block and each option as an individual clickable row.
  • Fix: Customer Launchpad app listing and launch-token routes now have runtime MockMvc coverage proving anonymous callers cannot list or launch tenant applications even with CSRF.
    • Customer Launchpad launch clicks now fail closed when /v1/launchpad/apps/{applicationId}/launch does not return a tokenized runtime URL, preventing the dashboard from silently opening raw registered runtime or entrypoint URLs.
    • Customer Launchpad launch tokens are now issued only for HTTP(S) runtime or entrypoint URLs without embedded userinfo, and tokenized launch URLs preserve existing query strings and fragments instead of appending the token after a fragment.
  • Fix: generated DataWorkbook tables now serialize RBGrid next-page requests with ref-backed page, in-flight, loaded-page, and reset-version guards so scroll/keyboard prefetch cannot reuse stale React state or merge old reset responses while loading additional paged rows such as ContentData.
    • DataWorkbook pagination now starts from backend page 0, matching the generated ThorAPI pageable contract instead of skipping the first page and drifting the RBGrid append cursor.
    • Page append now always merges into the accumulated RBGrid dataset; the generator no longer clears already loaded rows when fetching backend page 1.

2026-06-05

  • Fix: SageChat command protocol now keeps deterministic command authority server-side while preserving rich frontend UX synchronization.

    • CommandProcessor.getCommandGuide() remains the LLM command source of truth, including the invariant that command XML/JSON is executor protocol and must not be pasted as explanatory chat text.
    • The frontend command reference is now a compact UX/operator reference only, naming supported command cards, view/tab opening, Workflow Studio graph and ExecModule sync, Aurora composition, server/deployment wizard flows, report opening, app-factory intent routing, WebSocket/SWARM ValorIDE control, live tenant runtime logs/events, command ack/error/progress, and dynamic panel synchronization.
    • Server command guidance now treats tenant ValkyrAI instances as first-class runtimes: ValorIDE agents registered to a tenant instance can run that tenant's workflows through the tenant runtime boundary, while shared ValkyrAI/api-0 commands remain Valkyr RBAC scoped and must resolve explicit tenant/application/runtime scope before crossing into tenant data, logs, workflow state, shell output, deployments, app-factory work, or ValorIDE control.
    • ValorIDE SWARM execution now forwards non-secret runtime scope in the command envelope, permits local tenant-instance agent/workflow control, and fails closed for shared-control-plane commands that omit tenant/application/runtime scope.
    • The central SWARM command forwarding service now applies the same shared-control-plane scope boundary for REST and WebSocket command traffic while preserving ordinary targeted messages and direct-dispatch policy denials.
    • /swarm-ops/command now returns generated commandId and rejectionCode receipts, and the ValorIDE Swarm Control Panel dispatches generated SwarmMessage commands through that server route so the UX reflects authoritative accepted/rejected/failed state instead of browser-simulated completion.
    • ValorIDE Swarm Dashboard discovery, activation, and suspend calls now use the shared authenticated API fetch rail with cookie, CSRF, and organization-header handling instead of local sessionStorage JWT fetches.
    • SageChat now renders workflow and completion XML as informative command cards instead of raw protocol text, while still executing persisted workflow commands through real REST endpoints and dispatching UI intents for live panel state.
    • The in-chat command guide now uses natural-language examples and documents XML/JSON as executor protocol, preventing the UX from encouraging users to paste raw command envelopes.
    • Tenant file list, metadata, download, and S3 diagnostic routes under /v1/files/** now require authentication before the generic generated GET /v1/** fallback can match them.
    • Runtime isolation and SWARM control-plane metadata routes under /v1/runtime/**, /v1/swarm-ops/**, /v1/swarm/agents/**, /v1/agents/**, and /v1/team-projects/** now require authentication before the generic generated GET /v1/** fallback can match them.
    • Workflow module/control-plane routes under /v1/modules/**, /v1/module-schemas/**, /v1/execmodules/**, legacy /v1/execModule/**, /v1/workflow-tasks/**, and command ABI /v1/abi/** now require authentication before the generic generated GET /v1/** fallback can expose module metadata, schemas, exports, config contracts, command rules, or task details.
    • App-factory, workflow-design, project-manager, JSON CRUD, and Sage slash-command routes under /v1/app-factory/**, /v1/workflow/design/**, /v1/project-manager/**, /v1/json-crud/**, and /v1/slash-command/** now require authentication before the generic generated GET /v1/** fallback can expose app-generation templates, workflow design streams/catalogs, or command telemetry.
    • Docs-fragment routes under /v1/docs/fragments/** now require authenticated users before the generic generated GET /v1/** fallback can expose workflow, schema, module, or LLM-context fragments, while API telemetry routes under /v1/metrics/api/** and /v1/api/telemetry/** now require ADMIN, DEVELOPER, or SYSTEM.
    • Exact account/workflow/MCP/GrayMatter read roots (/v1/credits, /v1/workflow, /v1/vaiworkflow, /v1/mcp, /v1/memory, /v1/mo, and /v1/graymatter) now require authentication before the generic generated GET /v1/** fallback can match them.
    • Exact collection/root routes for deployment, ThorAPI generation, schema evolution, and workflow-test control surfaces (/v1/deployments, /deployments, /v1/thorapi, /v1/schema-evolution, and /v1/workflow-test) now carry the same guards as their child routes so they cannot fall through to anonymous generated GET handling.
    • Admin/operator routes under /v1/admin/** now require platform ADMIN before the generic generated GET /v1/** fallback can match them, while /v1/admin/careers/** preserves the explicit ADMIN/RECRUITER console boundary.
    • Dashboard ops routes under /v1/ops/** now require ADMIN, DEVELOPER, or SYSTEM before the generic generated GET /v1/** fallback can match launcher contracts, loop contracts, or uptime telemetry.
  • Docs: published the spec-to-stack readiness matrix for Stainless-transition demo calls.

    • Added explicit Ready / In progress / Planned / Custom scoping / Not a fit language for buyer conversations.
    • Covered ThorAPI backend generation, TypeScript client freshness, multi-language SDK limits, docs/MCP parity, RBAC, SecureField, TrustFabric, GrayMatter, Stripe-paid plans, isolated instances, and deployment flow.
    • Linked the matrix from the Stainless demo-call playbook and SDK coverage FAQ so sales/support have one canonical limitations reference.
  • Feature: added ThorAPI-owned tenant isolation registry schemas for multi-tenant data-plane control.

    • Added TenantSchemaRegistry, ApplicationDataPlaneBinding, TenantRuntimeBinding, TenantSchemaBundle, TenantSchemaOperation, and TenantSchemaAccessAudit to api.hbs.yaml with explicit relationship/query indexes.
    • Regenerated backend Java models/services and frontend TypeScript models, RTK Query services, forms, tables, and charts from the ThorAPI spec.
    • Organization schema provisioning now persists generated TenantSchemaRegistry and TenantSchemaOperation lifecycle rows for provision, validation, delete, and failure states.
    • Organization schema provisioning no longer emits handwritten tenant table DDL; table shape stays owned by ThorAPI/Hibernate bundles after schema creation and registry validation.
    • Hosted AWS deployment UX now verifies an active generated TenantSchemaRegistry row before review/launch and passes registry metadata into the runtime manifest.
    • Lightsail deployment planning now enforces the generated tenant schema registry server-side when the repository is available, preventing API callers from bypassing the dashboard registry gate.
    • Successful hosted deployments now persist generated ApplicationDataPlaneBinding and TenantRuntimeBinding rows, then stamp their ids and runtime/data-plane mode back onto deployment metadata.
    • Runtime binding and application data-plane promotion now write generated TenantSchemaOperation lifecycle rows with bind_runtime or promote_data_plane operation types, deployment-actor approval, and deployment request correlation.
    • Tenant data-plane promotion contract coverage now proves every prior active/validating application write-plane binding is retired before the promoted binding becomes active, and the runtime binding plus lifecycle operation point at the promoted data plane.
    • ThorAPI tenant-scoped code generation now persists generated TenantSchemaBundle model/table manifests, supersedes prior active manifests for the same tenant/application, updates registry bundle/checksum metadata, and writes an apply_bundle TenantSchemaOperation without emitting handwritten table DDL.
    • Tenant bundle manifests now enforce schema-declared x-valkyr-scope values, reject missing scope and derived table collisions, prefix org_schema app-private tables with <appid8>_, prefix shared business tables with shared_, and keep app-private table names unprefixed for app-schema/app-database placements.
    • Tenant bundle manifests now carry referenced component model names for $ref fields and reject shared-model dependencies on app-private models while allowing app-private models to reference shared contracts.
    • External or cross-app component references in tenant bundles now fail closed unless the relationship field declares x-valkyr-relationship-contract: shared, and declared shared external contracts are retained in the generated bundle manifest.
    • Runtime schema column auto-expansion no longer runs as an application startup DDL mutator; field sizes, relationships, indexes, and tenant table shape remain owned by ThorAPI/OpenAPI specs, generated entities, Hibernate DDL, or ThorAPI-generated schema reconciliation ledger entries.
    • Deployment defaults now advertise the ledgered VALKYRAI_SCHEMA_RECONCILIATION_ENABLED=true runtime contract instead of the removed VALKYRAI_SCHEMA_AUTO_EXPAND_COLUMNS startup-mutator flag across Lightsail plans, deploy helpers, Docker, Helm, local Kubernetes, native runners, and dashboard-generated Lightsail specs.
    • Added generated SchemaEvolutionLedger ThorAPI schema with explicit schema/status, category/status, safe/status, planned-time, and migration-identity indexes so schema reconciliation is durable, queryable, and idempotent instead of an invisible startup patch.
    • Schema evolution preview now returns typed reconciliation changes, marking generated string-widening and enum-constraint expansion as safe auto-apply candidates while requiring manual review for data backfills, nullable column adds, and unknown DDL shapes.
    • Safe generated schema reconciliation now runs automatically and transparently when enabled: string-widening and enum-expansion changes are applied under a database/JVM lock, written to SchemaEvolutionLedger with generated migration identities and statement hashes, and skipped on later boots once the ledger records the change.
    • The multi-tenant PRD now explicitly allows Flyway-style ledgering only when ThorAPI generates the migration identity and SQL from spec deltas; safe widening/enum expansion remains automatic and transparent, while handwritten migration files remain disallowed for normal ThorAPI drift repair.
    • Unsafe generated reconciliation changes such as data backfills are recorded as manual_review_required without executing SQL, preserving the audit trail without turning schema drift repair into a data-mutation side channel.
    • Generated SchemaEvolutionLedger DataWorkbook routes are denied alongside the tenant isolation registry/control models; operators use the lowercase ADMIN-only schema-evolution preview/reconcile surface instead of browsing generated control rows directly.
    • Runtime security coverage now proves anonymous and non-admin callers cannot use lowercase schema-evolution preview, reconcile, or settings routes; schema reconciliation remains an ADMIN-only ThorAPI-generated rail, not a generic DataWorkbook or public /v1/** fallback.
    • LCARS Platform Ops now exposes the same lowercase schema-evolution preview/reconcile surface in the Tenant Schemas panel, showing planned, safe, manual-review, and applied counts without exposing generated ledger DataWorkbook browsing.
    • Tenant bundle registration now revalidates any generated ApplicationDataPlaneBinding before manifest persistence, requiring the binding to belong to the same registry/application and to use the exact server-derived org/app schema or validated app-database placement.
    • Tenant bundle registration now rejects platform-owned model/table contamination such as Principal, Customer, Invoice, UsageTransaction, payment, credit, and Valkyr billing control objects before any tenant allowlist is persisted.
    • SecureField KMS default-key derivation is now tenant-aware for generated/domain objects that expose tenant schema, tenant registry, application database, or owner scope, preventing unrelated tenant records without an explicit keyHash from converging on the same generated key material.
    • Added the admin-only /v1/tenant-schemas control surface for audited registry reads, health checks, validation operations, audit lookup, and manifest-allowlisted tenant object inspection.
    • Tenant object inspection now resolves schema names from TenantSchemaRegistry and table names from active TenantSchemaBundle manifests only; no request-provided schema/table names or free-form SQL endpoints are accepted.
    • Tenant object inspection now ignores generated model field entries and generic OpenAPI schema metadata when deriving allowlisted tables, preventing field names or type: object fragments from becoming tenant object browse targets.
    • Tenant object inspection now revalidates the registry schema as canonical org_<uuid> before bundle lookup or SQL execution, and writes failed audit rows for noncanonical registry schema attempts.
    • Tenant object inspection now carries each active bundle's application data-plane placement through the allowlist: app_schema bundles read only the server-derived org_<uuid>_app_<8hex> schema, while app_database and byoc_database bundles fail closed until a runtime-specific admin datasource is available instead of falling back to the registry org schema.
    • Tenant schema health and validation now use the same application data-plane placement contract: org_schema and app_schema bundle tables are checked only in their derived schemas, while app_database and byoc_database health is reported as requiring the paid runtime datasource instead of being misread from the registry schema.
    • Tenant-admin app-database/BYOC object inspection now routes through TenantSchemaExecutionService and becomes available only when the server enters a matching runtime admin data plane; shared/api-0 datasource attempts remain failed closed and audited.
    • Tenant object inspection now redacts common credential, key, token, authorization, and bearer column variants before admin list or record payloads leave the service.
    • LCARS Platform Ops now exposes an admin-only Tenant Schemas panel that reason-gates registry reads, health checks, active ThorAPI bundle evidence, validation, audit lookup, and allowlisted object inspection through /v1/tenant-schemas instead of generic DataWorkbook browsing.
    • Tenant Schemas LCARS health now renders per-object placement verification, including the inspected app schema when available and a visible runtime-datasource-required warning for app-database/BYOC placements.
    • Tenant Schemas LCARS health now renders manifest-derived active bundle posture counts for total models, app-private models, shared models, external references, and shared relationship contracts while the backend keeps raw bundle manifests out of the dashboard response.
    • Tenant Schemas LCARS object inspection now derives clickable object buttons from placement-aware health, leaves app_database/BYOC objects disabled as runtime-datasource targets, and disables shared-datasource loading when every active bundle object requires the paid runtime admin datasource.
    • Tenant schema validation, validation failures, and denied unsupported lifecycle operation requests now write explicit TenantSchemaAccessAudit rows, and tenant-admin expected 4xx paths no longer roll back those audit/operation records.
    • Tenant schema lifecycle operation requests now audit unknown or malformed operation types before returning 400, preserving request id and operational reason while avoiding generated operation rows for invalid enum values.
    • Tenant admin service tests now prove blank or too-short operational reasons fail before schema inspection and before any audit row is written, matching the LCARS reason gate server-side.
    • Generated tenant isolation model HTTP/DataWorkbook routes are now explicitly denied before the generic /v1/** GET fallback, while their ThorAPI-generated repositories/services remain available for internal orchestration.
    • Runtime security tests now prove platform ADMIN callers are forbidden from browsing generated tenant isolation DataWorkbook list, detail, and stats routes.
    • Tenant Schemas LCARS audit lookup now calls the lowercase audited /v1/tenant-schemas/{id}/audit surface with the operational reason instead of any generated tenant DataWorkbook route.
    • Hosted AWS deployment UX now uses the authenticated /v1/tenant-schemas/preflight endpoint for audited registry readiness checks instead of generated TenantSchemaRegistry RTK/DataWorkbook reads.
    • Custom lowercase /v1/tenant-schemas/** admin and preflight routes are now explicitly authenticated before the generic anonymous /v1/** GET fallback, with runtime coverage proving anonymous users cannot read tenant schema list, detail, health, audit, object, or preflight endpoints, and authenticated non-admin users cannot use tenant-schema admin list, detail, health, audit, object, validate, or operation routes.
    • Deployment endpoints now require authenticated callers explicitly at route and controller boundaries, including generated deployment delegate operations, Fargate upgrades, database connectivity checks, generated deployment secrets, and the /deployments compatibility route.
    • Added a GrayMatter tenant schema context resolver that fails closed unless the authenticated principal maps to an organization with an active/validating generated TenantSchemaRegistry.
    • Internal Valkyr Labs agents with ROLE_VALKYR_AGENT now resolve GrayMatter memory/retrieval operations to the explicit main control-plane context, and TenantSchemaExecutionService executes that context on the current platform connection without schema/catalog switching while customer/org agents still require generated tenant schema context.
    • The authenticated /v1/tenant-schemas/preflight/graymatter_status endpoint now reports the resolved GrayMatter schema context, including schemaName=main for internal Valkyr agents, and the GrayMatter repo gm-status script surfaces tenant_schema_context / tenant_schema_name for operator checks.
    • GrayMatter gm-status now treats missing tenant/main schema context as memory_layer=degraded; gm-write queues fallback instead of attempting durable /MemoryEntry/write, and gm-retrieval-receipt refuses receipt create/get/list calls before api-0 when tenant_schema_context is not ready.
    • GrayMatter memory controllers, generated MemoryEntry delegate overrides, memory runtime actions, retrieval receipts, and semantic index search now require or apply the resolved tenant schema context.
    • Semantic index writes now stamp tenantScope with the resolved org_<uuid> schema, summary/vector semantic retrieval filters to that tenant scope, and retrieval receipts persist the schema name as tenantId.
    • Added TenantSchemaExecutionService to run tenant data-plane repository work under the registry-derived schema/catalog and reset the JDBC connection state in finally.
    • Added H2-backed cross-schema execution regressions proving identical table names in sibling org_<uuid> schemas return only the selected tenant's rows, unqualified writes land only in the selected tenant schema even with identical ids, and the connection schema resets after tenant work.
    • Added direct generated-domain table isolation coverage proving a representative teeth app table can store the same domain id in sibling organization schemas without either tenant reading the other's row.
    • MemoryEntry now includes generated application and project relationships with explicit app/project indexes; generated POST /MemoryEntry preserves those relationships and resolves application-scoped memory through the active generated ApplicationDataPlaneBinding.
    • Custom GrayMatter compatibility endpoints now preserve the same application/project relationship scope: /v1/memory/write builds generated MemoryEntry payloads from applicationId/application_id and projectId/project_id, while /v1/memory/query and /v1/memory/list apply app/project filters before tenant schema execution.
    • Tenant schema execution now allows only registry-derived organization schemas or server-derived application schemas in the org_<uuid>_app_<8hex> form, keeping arbitrary schema names rejected.
    • Application-scoped GrayMatter routing now revalidates app_schema bindings against the exact server-derived org_<uuid>_app_<application-id-prefix> name before returning a tenant context, preventing poisoned binding rows from routing one app's memory into another app schema.
    • Application-scoped tenant context now carries the active generated ApplicationDataPlaneBinding id, app data-plane mode, database name, host, region, and managed credential reference when app/project GrayMatter memory resolves beyond the organization schema.
    • Shared tenant schema execution now rejects app_database and byoc_database contexts instead of silently executing separate app-database work on the platform DataSource; those placements require a runtime-specific data source.
    • Paid-runtime app-database execution now requires tenant/customer/organization runtime scope, VALKYRAI_SHARED_DATABASE_ALLOWED=false, matching data-plane mode, database name, database host, and managed credential reference before switching only the bound application database catalog.
    • Managed app_database contexts now require the server-derived appdb_<organization_uuid_without_dashes>_<application_id_prefix> database name at binding creation, tenant-context resolution, and JDBC execution; BYOC database names remain customer-specific but still require the exact active runtime binding metadata.
    • GrayMatter memory usage telemetry now uses bounded indexed UsageTransaction projection queries instead of the timeout-prone OR/LOWER usage-ledger query shape, with contract coverage keeping the ThorAPI spec and generated entity memory-ledger indexes in place.
    • GrayMatter memory reads/writes, semantic index writes/searches, retrieval receipt persistence/reads, sparse keyword retrieval, graph retrieval, MySQL full-text retrieval, and generated-target semantic retrieval now enter the tenant schema execution boundary instead of relying only on owner filters.
    • Retrieval receipt reads now reject receipts whose persisted tenantId does not match the resolved tenant schema.
    • Legacy and compatibility memory search routes now require authenticated GrayMatter roles, read entitlement, tenant schema context, and registry-derived tenant read execution before querying /MemoryEntry/search, /v1/memory/search, or /v1/memory/semantic-search.
    • Generated and custom GrayMatter read surfaces now authenticate before the generic /v1/** GET fallback, including /v1/GrayMatter, /v1/graymatter/**, /v1/graymatter-retrieval-receipts/**, /v1/memory/**, and /v1/MemoryEntry/**.
    • Removed /v1/GrayMatter from public API cache-header handling so GrayMatter cannot be treated as an anonymous public catalog route.
    • GrayMatter activation and MCP bundle controllers now carry explicit authenticated GrayMatter role guards, and runtime security tests prove anonymous callers with valid CSRF tokens cannot use GrayMatter action routes such as memory write/query, semantic-index search, retrieval context, retrieval benchmark, activation events, MCP bundles, or retrieval receipt creation.
    • GrayMatter control-surface metadata routes now require resolved tenant schema context before returning control, retrieval-tool, semantic-index manifest, object-graph shape, or retrieval-benchmark metadata, preventing schema/planning surfaces from leaking to org-less authenticated users.
    • Runtime security tests now also prove anonymous callers with valid CSRF tokens cannot use application generation, deployment, or tenant-schema validation/operation action routes.
    • Added GrayMatter-only write regressions proving /v1/memory/write resolves tenant schema context before credit entitlement or persistence, and blocks persistence entirely when tenant context is missing.
    • Application data-plane binding now derives app_schema names server-side, requires managed database placement metadata for app_database and byoc_database, rejects environment-only BYOC placement strings, and promotes/retire bindings when the physical placement changes so each app has one active write plane.
    • Application data-plane binding now skips generic deployments without tenant schema/registry hints and reuses an unchanged active binding on same-plane redeploys, avoiding duplicate active write planes or false promotion lifecycle rows.
    • Application data-plane binding history now uses an explicit app/status query index instead of a coarse app/status unique constraint, allowing multiple retired historical bindings while service logic retires duplicate active/validating/binding rows before reusing or promoting a write plane.
    • Runtime data-plane binding now ignores stale inactive duplicate registry rows during schema-name lookup, prefers deployable ACTIVE/VALIDATING registries, and rejects noncanonical registry schema names before writing application/runtime binding rows.
    • Deployment metadata now records the active binding ids, registry id, application data-plane mode, runtime kind, and database placement evidence after successful tenant data-plane binding.
    • AWS Fargate deployment results now normalize tenant runtime metadata from DeploymentSpec.environmentVariables before binding so the runtime records see aws-fargate, registry id/status, customer schema, database scope, isolation mode, database host/region, OpenAPI checksum, shared-DB flag, and tenant auth/RBAC mode.
    • Lightsail deployments now derive managed app_database placement from the tenant registry and stable Application.id, rewrite provisioned db-0 JDBC URLs to appdb_<organization_uuid_without_dashes>_<application_id_prefix>, reject mismatched explicit app database names, and stamp non-secret app database placement metadata into deployment results.
    • Deployment Wizard now keeps a stable generated Application.id through review/submit and displays/sends the server-derived managed app database name, host, and credential reference for app_database registries.
    • Deployment validation now rejects customer application runtime specs that target shared ValkyrAI database endpoints/schemas, declare shared/internal/platform data scopes, allow shared databases, or point org_schema runtimes at a sibling db-0 schema.
    • Tenant RBAC replacement now rejects platform/internal roles in hosted customer schemas even when a stale principal already has the role, preventing tenant runtime updates from preserving ROLE_ADMIN, ROLE_SYSTEM, or internal Valkyr agent privileges.
    • Tenant RBAC replacement now also proves stale platform roles can be cleaned up by replacing them with tenant-safe roles, so customer-schema admins are blocked from preserving platform authority without being trapped by bad historical state.
    • Tenant RBAC now has positive generated-domain coverage proving hosted customer schemas can create roles such as ROLE_DENTIST and grant generated-object authorities such as TEETH_READ, while platform/internal roles and authorities remain blocked.
    • Generated customer app scaffolds now emit per-model REST controllers plus a tenant TenantRbacAuthorization guard, requiring generated object authorities such as WIDGET_READ, WIDGET_CREATE, or WIDGET_WRITE while treating ROLE_ADMIN, ROLE_SYSTEM, ROLE_VALKYR_AGENT, and VALKYR_* authorities as platform-only signals that do not authorize tenant app data.
    • Generated app scaffold tests now compile the emitted backend sources and invoke the generated tenant RBAC guard, proving object authorities authorize generated app data and platform admin/schema authorities do not; the coverage now includes a dentistry Teeth domain scaffold with TEETH_READ/ROLE_TEETH_CREATE allowed and mixed platform authority payloads denied.
    • Tenant bundle lifecycle regressions now prove generated app-domain components such as Teeth are captured in tenant bundle manifests, and tenant admin object reads remain constrained to active bundle allowlists.
    • Tenant Schemas admin health now carries active bundle application and application data-plane binding ids through to LCARS so admins can see which generated app and write-plane binding controls each manifest allowlist.
    • Tenant Schemas admin health now exposes non-secret active data-plane placement details for each active bundle, including write-plane mode/status, schema/database placement, database host/region, and active deployment id; LCARS renders those details from the audited lowercase tenant-schema health route.
    • Customer Launchpad now uses the authenticated lowercase /v1/launchpad/apps surface to project owned generated Application rows and latest TenantRuntimeBinding metadata into launch-safe dashboard cards without exposing hidden generated tenant-runtime DataWorkbook routes.
    • Customer Launchpad now projects source-backed app catalog metadata from generated TenantRuntimeBinding, TenantSchemaRegistry, Deployment, and ApplicationDataPlaneBinding records, including organization id, registry id, tenant schema/database scope/isolation mode, link type, deployment ownership model, billing profile, data-plane binding/schema/database placement, data-plane mode/status/region, required launch-token claims, and health URL only when deployment metadata registers one or a healthCheckPath can be resolved from the runtime/deployment origin.
    • Customer Launchpad launch clicks now call /v1/launchpad/apps/{applicationId}/launch to receive a five-minute signed tokenType=launchpad JWT scoped to the authenticated principal, generated application, organization, tenant schema registry/name, tenant database scope/isolation mode, application data-plane binding/placement, runtime binding, and runtime origin before opening the tokenized runtime URL. Bound runtimes fail closed when tenant registry/data-plane scope is incomplete, and launch tokens do not include managed credential references.
    • Runtime isolation now reports application data-plane mode, binding ids, tenant registry id, application database placement, tenant auth/RBAC mode, and paidRuntimeIsolationReady through /v1/runtime/isolation.
    • Runtime isolation readiness now follows the app-database execution guard, requires live JDBC catalog/schema alignment with the configured tenant or app database binding, and exposes only non-secret booleans for managed credential-reference and connection-alignment state.
    • Runtime isolation now includes a server-configured database privilege probe that prevents paid runtimes from reporting ready when their datasource can read forbidden platform or sibling tables; regression coverage proves least-privilege app users pass, overprivileged users fail, and unsafe probe table identifiers are rejected.
    • Customer Instance Ops now renders the runtime data-plane mode, shared database guardrail, application database placement, tenant runtime RBAC state, live tenant/app connection alignment, and database privilege probe status from the isolation endpoint, including an explicit warning when forbidden platform or sibling tables are readable.
    • Tenant Schemas and Customer Instance Ops now visibly warn when a managed app_database placement reports a stale/friendly database name instead of the server-derived appdb_<organization_uuid_without_dashes>_<application_id_prefix> contract.
    • Added ThorAPI Component Library documentation for CustomerInstanceOpsDashboard and refreshed TenantSchemaAdminPanel documentation for server-side reason gating and write-plane placement evidence.
    • GrayMatter semantic recall now accepts app/project scope, resolves the tenant read context through the active application data-plane binding, and filters candidates to the requested application/project so app-private memory follows the isolated data plane.
    • Retrieval receipt providers now honor app/project scope from generated request filters across dense, sparse, graph, summary, generated-target, and full-text lanes, and app-scoped receipts are stamped with the application schema resolved from the active data-plane binding.
    • Sparse and graph retrieval now push app/project scope into the DB-backed MemoryEntrySearchService criteria query itself, using the generated MemoryEntry application/project relationships and keeping post-query candidate filtering as defense in depth; MemoryEntrySearchServiceIT proves the Criteria query excludes sibling project rows at the database search layer.
    • Added tenant retrieval receipt indexes for tenantId,createdAt and tenantId,retrievalStatus,createdAt, plus deployment polling/reconciliation indexes for status/deployed time, status/completed time, spec/status, deployed-by/status, and cloud resource id.
    • Added an OpenAPI contract test that prevents tenant schemas, hot runtime/retrieval/polling indexes, bounded large-text manifest fields, and regenerated hot-path repository methods from regressing.
    • ThorAPI ACL permission evaluation now centralizes SID normalization, anonymous/admin checks, owner-default masks, permission implication, and target-id/class resolution in one support class shared by ValkyrACL and ValkyrAIPermissionEvaluator; Spring's public Acl.isGranted(...) and PermissionEvaluator.hasPermission(...) entry points remain distinct, but the policy logic no longer forks.
    • ValkyrAIPermissionEvaluator no longer maintains a private SidRetrievalStrategy path; both hasPermission(...) and concrete ACL isGranted(...) requests now derive principal/authority SIDs through ValkyrAclSecuritySupport.authenticationSids(...).
    • Added a tenant schema-authority contract test that scans SQL migration resource folders and fails if tenant isolation tables are introduced through migration scripts instead of ThorAPI/OpenAPI plus Hibernate DDL.
    • Added tenant hot-path query-shape regressions proving schema-name runtime binding and registry-scoped audit lookup use generated key/relationship queries and avoid repository-wide scans.
    • Added an executable tenant isolation production-release gate requiring fresh staging p95/load evidence for registry lookup, GrayMatter retrieval, audit writes, deployment status polling, runtime binding lookup, and application data-plane promotion validation before non-dry-run production deployment API calls.
    • Deployment launcher contract tests now prove production deploys fail closed when tenant release evidence is missing or incomplete.
    • Deployment API validation now rejects production tenant runtime specs without fresh inline VALKYRAI_TENANT_ISOLATION_RELEASE_EVIDENCE_JSON/VALKYRAI_TENANT_RELEASE_EVIDENCE_JSON evidence for every required tenant release-gate result.
    • Lightsail staging deployments remain launchable without production release evidence when VALKYRAI_DEPLOYMENT_STAGE is explicitly non-production, even if the staged runtime uses SPRING_PROFILES_ACTIVE=production.
    • Fargate promotion now requires tenant release evidence before cloud provisioning, and the dashboard sends that evidence to the authenticated upgrade endpoint instead of allowing an ungated staging-to-production path.
    • The dashboard now validates Fargate tenant release evidence before submit, rejecting missing result arrays, stale timestamps, missing required release-gate measurements, bad samples, and p95 values above threshold before the upgrade API is called.
    • Added focused API and dashboard regressions proving production tenant deploys, Fargate promotion, and the dashboard upgrade flow honor the release evidence gate.
    • Added deployment security contract coverage to prevent anonymous access from returning through the generic /v1 GET fallback.
    • Added ThorAPI app-generation security contract coverage proving every /v1/thorapi controller route requires ADMIN or DEVELOPER, /v1/thorapi/** is protected before the generic anonymous /v1/** GET fallback, and anonymous job-status reads are rejected at runtime.
    • Added controller regressions for semantic search and keyword search aliases to verify principal denial, entitlement checks, tenant schema resolution, and tenant-scoped read execution.
    • Added data-plane binding/runtime regressions for generic deployment skip behavior, unchanged redeploy binding reuse, derived app schema placement, app database credential requirements, BYOC metadata gating, same-registry promotion, Fargate tenant metadata normalization, shared ValkyrAI DB rejection, runtime isolation reporting, tenant-domain RBAC authorization, audited tenant-admin dashboard rendering, and deployment metadata propagation.
  • Fix: protected generated DataWorkbook/ThorAPI updates from sparse-payload data loss.

    • Generated PUT delegates now merge non-null incoming fields into the existing row before saveOrUpdate when the id already exists, preventing omitted DataWorkbook fields from being persisted as null.
    • PUT still inserts when the id does not exist, preserving create-on-PUT behavior while making existing-row updates safe for grid-style sparse edits.
    • Added generated delegate regression coverage proving an IntegrationAccount DataWorkbook-style sparse PUT updates one visible field while preserving omitted scalar, SecureField, and encrypted identifier values.
  • Fix: consolidated ACL permission evaluation into the ThorAPI ACL decision path.

    • ValkyrAIPermissionEvaluator now delegates object ACL decisions and anonymous public-read fallback through Acl.isGranted instead of scanning raw ACL entries itself.
    • ValkyrACL.hasPermission(...) is now only a compatibility/runtime entrypoint; it normalizes inputs and routes through the same shared runtime permission decision helper used by ACL evaluation.
    • AclService.hasPermission(...) helpers now delegate object decisions through readAclById(...).isGranted(...) instead of scanning generated AclEntry rows directly.
    • ValkyrPermissionGrantingStrategy now delegates to the ACL implementation instead of maintaining a second ACE-scanning algorithm.
    • WorkflowMetricsAspect now gates workflow-specific WebSocket metric emission through the central ValkyrAclService.hasPermission(..., READ) check on the generated Workflow object identity instead of an allow-all placeholder; malformed workflow ids and missing ACL service wiring fail closed while explicit workflow operator roles stay intentional.
    • Added an app boundary regression proving ValkyrAI cannot reintroduce app-local ValkyrACL, permission-granting strategy, or ACL authorization strategy forks.
    • Added boundary regressions proving AclService and ValkyrPermissionGrantingStrategy cannot reintroduce duplicate ACL decision loops.
    • Added WorkflowMetricsAspectTest coverage for ACL grant, ACL deny, operator role bypass, invalid workflow id denial, and missing ACL service denial.
    • Updated ACL tests so deny/grant behavior is modeled through the shared ACL decision path rather than duplicate evaluator-side ACE scans.
  • Fix: restored generated DataWorkbook field visibility for hidden/secure/audit columns.

    • Generated tables now build the column universe from the full ThorAPI model field list, so IntegrationAccount exposes fields such as apiKey, accountId, createdDate, lastAccessedDate, and lastModifiedDate when hidden columns are toggled on.
    • RBGrid now renders a hidden/generated-column checkbox to the left of select-all, keeping sensitive and generated fields hidden by default while making them inspectable on demand.
    • RBGrid dark-mode checkbox styling is larger and brighter, with a cyan border/focus affordance so row, boolean, and hidden-column checkboxes remain visible against the dark grid.
    • Added focused frontend regression coverage for generated field visibility, hidden-column toggling, and dark-mode checkbox styling.
  • Fix: hardened hosted runtime tenant schema validation for Lightsail deployments.

    • Deployment launch now requires provisioned customer schemas to use the org_<32 lowercase hex organization UUID> contract used by ThorAPI tenant provisioning.
    • Dashboard deployment validation now rejects malformed provisioned schemas before database testing or launch.
    • Updated the multi-tenant hosting PRD naming contract from the older cust_<orgid8> draft wording to the current org_<organization_uuid_without_dashes> pattern.

2026-05-27

  • Content: added a GrayMatter agent-memory quickstart for Stainless-transition demos.

    • Published the install/auth, write, query, schema-context, safety guardrail, and 20-minute demo path.
    • Linked the quickstart from the Stainless Alternative page alongside SDK coverage and freshness guidance.
    • Added coverage so the public comparison page keeps both customer-success links visible.
  • Docs: added Stainless-transition pricing transparency support copy.

    • Expanded the Stainless Transition FAQ with buyer-facing plan-boundary, credit, usage-limit, and overage guardrails.
    • Added a demo-call pricing-objection response that translates credits into memory reads, writes, reindexing, and generation work without competitor fearmongering.
  • Feature: added strategy-backed Projects across the Valhalla suite.

    • Project and ProjectObjectLink are now ThorAPI-generated schema objects with generated REST services, Java models, repositories, and TypeScript RTK Query clients.
    • LCARS now exposes Business > Projects with a New Project action, stage tracking, generated object counts, and deterministic stage advancement.
    • GrayMatter control surfaces now publish Project and ProjectObjectLink as RBAC-visible object-graph primitives while keeping SwarmOps coordination-only.
    • ValorIDE's GrayMatter client now discovers Project capabilities and can create/update Project records with sourceSurface: "valoride".
    • Added a ValkyrAI Project ExecModule for workflow CRUD, stage advancement, and linking goals, tasks, workflows, applications, deployments, MCP services, memory entries, and object links.
  • Fix: restored the Docusaurus mobile docs sidebar to the built-in hamburger behavior.

    • Removed the custom bottom Docs drawer, custom mobile logo toggle, and duplicate custom navbar menu item that could render a blank popout.
    • Kept the native Docusaurus sidebar and navbar sidebar flow as the single mobile navigation path.
  • Feature: added Valhalla customer experience mode for the white-paper funnel and dashboard.

    • The white-paper funnel now maps customer intent to a dedicated persona-mode preference with typed personaMode and personaComplexity fields while preserving existing Customer.role values.
    • Added a dashboard Mode pill next to credits so users can switch between CxO, solopreneur, engineer, student, reseller, publisher, workflow designer, and GrayMatter lenses.
    • User Preferences now exposes the same Experience Mode control and a complexity selector for testing guided, balanced, and expert presentations.
    • LCARS dashboard navigation now reorders already-authorized items by persona focus without changing RBAC role gates.
    • Account plan details now call out TrustFabric Compliance as Enterprise-included or Team add-on eligible.

2026-05-21

  • Fix: restored admin ACL repair authority for deny-all permission mistakes.

    • Admin domain-object permission checks now bypass explicit deny ACLs before object ACL lookup.
    • ACL mutation strategy now recognizes the real admin authorities only; tests use ROLE_ADMIN.
    • ACL revoke now resolves entries by the protected object's UUID and removes matching grant/deny ACEs so admin repair actions can clear stale EVERYONE denies.
    • PermissionDialog no longer exposes the Deny EVERYONE all testing shortcut and adds an admin repair action to clear explicit deny entries.
  • Enhancement: modernized SageChat/Valor prompt enhancement for workflow and SWARM automation.

    • Backend LLMController now injects the command guide even when a provider initialPrompt is blank.
    • CommandProcessor.getCommandGuide() now documents browser/UI, generated REST, workflow canvas, and SWARM command surfaces.
    • SageChat's frontend operator prompt moved into a testable valorCommandPrompt.ts module and removes secret-like credential examples.
  • Fix: stopped SageChat provider payloads from being written to runtime logs.

    • LLMController now logs OpenAI/pass-through/Ollama requests, responses, and provider errors as metadata only.
    • Generated logging configuration no longer forces all com.valkyrlabs logs to DEBUG; LLMController defaults to INFO with an explicit VALKYRAI_LLM_CONTROLLER_LOG_LEVEL override.
    • Added regressions that fail if prompt text, chat text, serialized messages, or provider error bodies leak through DEBUG/TRACE logs.
  • Fix: hardened ThorAPI frontend client generation for Vite dev startup.

    • yarn dev now regenerates the ThorAPI TypeScript client before starting Vite so ignored src/thorapi output is present.
    • generate-thorapi-client.mjs snapshots the previous generated client and restores it if ThorAPI generation aborts, preventing failed generation from deleting the last usable service files.
    • Added a Node regression that simulates a ThorAPI failure and verifies the previous DownloadAccessService output survives.
  • Fix: hardened SAGEChat CSRF retry handling for production subdomain cookies.

    • authFetch now retries unsafe requests with the fresh token returned by /auth/csrf instead of falling back to a stale readable XSRF-TOKEN cookie.
    • Clearing browser auth storage also clears remembered CSRF state so switch-account and fresh-login flows cannot reuse an old token.
    • Added focused Jest regressions for SAGEChat /llm-details/{id}/chat retry behavior and CSRF token precedence.

2026-05-20

  • Fix: hardened fresh-localhost startup and first-write ACL behavior.

    • Wired memory entitlement construction through Spring's configured constructor path.
    • Restored a primary applicationTaskExecutor so async MVC dependencies resolve when channel executors are also present.
    • Removed the duplicate /v1/metrics/api/live telemetry alias controller mapping.
    • Retried ACL ownership grants when concurrent acl_class creation hits the H2 unique constraint for models such as UserPreference.
    • Aligned stale controller/API test fixtures with generated PaymentTransaction.amountCents and GrayMatter activation constructor signatures.
  • Fix: made credit_pricing_matrix the editable runtime pricing source for credit economics.

    • Credit purchases now price cents through the active matrix unit key instead of treating cents as credits.
    • Memory read/write, generator, launch, swarm, and LLM rates resolve through matrix rows with existing property defaults as bootstrap fallbacks.
    • Buy Credits, cart checkout metadata, and dashboard examples now display matrix-derived credit rates.
  • Fix: made configured bootstrap super-admin password rotation consume the handoff file.

    • Existing super principals now accept valkyr.bootstrap.super.password / VALKYR_BOOTSTRAP_ADMIN_PASSWORD as authoritative on startup.
    • Stale config/bootstrap/super-admin.once credentials are rewritten as a consumed marker and renamed out of the active bootstrap path.

2026-05-19

  • Fix: hardened OpenAPI wizard sourceDetails persistence path against legacy 255-char column regressions.
    • Added JPA integration coverage that saves and reloads an OasOpenAPISpec with a 560-character sourceDetails payload.
    • Locks in the first-run import path expectation that rich wizard metadata persists cleanly instead of triggering SQL overflow failures.

2026-05-06

  • Fix: restore Stripe credit purchase POSTs on Loki and production-style deployments.
    • Kept authenticated checkout endpoints and the Stripe webhook out of the broad CSRF gate so hosted Checkout can start from cookie-authenticated users.
    • Added a CSRF contract test that allows only explicit checkout exemptions and rejects broad /v1/** or /v1/checkout/** bypasses.
  • Fix: Loki OAuth callback stability for GitHub and Google sign-in.
    • Hardened the manual OAuth success handler against lazy Principal role, authority, and organization associations after provider callback completion.
    • Preserved least-privilege EVERYONE fallback claims so a lazy association cannot turn a successful provider handshake into a Whitelabel 500.
    • Added focused regression coverage for the callback success path.
  • Build: restored deterministic Java 17 class output before AspectJ weaving.
    • Added a vaix/Maven compile bridge that replaces partial compiler classfiles with raw Java 17 javac output before the AspectJ staging guard runs.
    • Kept the hard unresolved-compilation classfile guard in place so bad bytecode fails before a Loki or production package can be created.
    • Excluded generated openapi.yaml from runtime resources to keep the executable jar from absorbing non-runtime spec bloat.
    • Tightened Maven resource/jar packaging so only openapi/api-out.yaml is copied into classes and the executable jar.
  • Security: removed a MailerSend-looking token comment from the email ExecModule source; MailerSend credentials now remain deployment-only configuration.

2026-05-04

  • Fix: make the marketing-site 3D background decorative-only on content routes.
    • Added a WebGL capability guard so the react-three-fiber background only mounts when the browser can initialize WebGL.
    • Wrapped the background canvas in a non-fatal ErrorBoundary fallback so renderer failures no longer crash the page route.
    • Added focused Jest coverage for the decorative background support helper.

2026-05-03

  • Feature: GrayMatter SWARM Protocol v0.1 for issue #2297.
    • Published a canonical GrayMatter-backed event contract for Codex, OpenClaw, Valor, Valklaw, ValorIDE, Claude adapters, humans, workflows, CRM, CMS, deployments, GitHub, and audit state.
    • Added a machine-readable JSON schema at /schemas/graymatter-swarm-v0.1.schema.json.
    • Wired the LCARS SwarmOps dashboard to parse v0.1 WebSocket events, merge live SwarmOps presence with durable Agent Directory records, and flag SwarmOps-only agents as Needs Agent.
    • Hardened Agent creation against the billing quota aspect fallback constructor path so Codex/OpenClaw/Claude/native agents can create durable Agent records before broadcasting presence.
    • Linked ValkyrAI, ValorIDE, architecture, dashboard, and mothership notes back to the canonical spec while preserving the current STOMP/WebSocket compatibility profile.
  • Fix: launch-page documentation links for the GrayMatter-first GTM path.
    • Encoded the Workflow Engine docs slug used by GrayMatter, Ultimate Homepage, and Support surfaces so public Docusaurus links open cleanly.
    • Tightened GrayMatter landing tests around the sales narrative, CTAs, and journey docs target.
  • Feature: GrayMatter TrustFabric launch kit for issue #574.
    • Added a buyer-facing launch packet with hero copy, proof strip, one-pager narrative, FAQ, demo script, and technical proof links.
    • Linked the launch kit from the GrayMatter Docs Fast Lane so demos and sales calls have one canonical proof asset.
    • Added GrayMatter landing coverage for the launch-kit documentation CTA.
  • CI: scoped App Factory release gates to App Factory lane branches only.
    • Non-App-Factory PRs to rc-* now skip the App Factory checklist instead of failing on unrelated branch names.
    • Real App Factory lanes still enforce the issue-id branch policy and release checklist.

2026-03-24

  • Tests: re-enabled SystemUserServiceTest under fixture-disabled test track (#997).
    • Removed class-level disable guard and aligned authority assertion with current system-user contract (ROLE_ADMIN present for system context).
    • Added deterministic fixture checklist doc: deterministic-fixture-checklist.mdx.

2026-03-23

  • Content ops: ScribeBot throughput batch (project briefs #90/#92 + memory workstream #78/#86/#87/#88/#89)
    • Added a blog draft for ThorAPI, ContentData, and MemoryEntry.
    • Added social thread draft: content/social/2026-03-23-agent-memory-thread.txt
    • Added docs runbook: content-pipeline-scribebot.mdx
    • Focus: contract-first memory positioning with ThorAPI model/service grounding.

2026-03-06

  • Feature: Memory launch GTM assets packet (issue #631)
    • Added memory-launch-assets.mdx with launch-page hero/value copy and launch pricing draft.
    • Added retention/deletion/training-policy FAQ draft for external launch readiness.
    • Added public launch announcement draft and explicit traceability to epic #624.

2025-10-26

  • Feature: Integration Account Console
    • Added /integration-accounts LCARS dashboard that aggregates hero metrics, Thor-generated IntegrationAccountTable, and template-driven creation w/ ExecModule linking.
    • Auto-computed templates for every Thor ExecModule metadata entry plus curated one-click providers (OpenAI, Gemini, Gmail, Stripe, Twilio, Slack, HubSpot, Salesforce, SecureKey).
    • Inline linking updates ExecModules through updateExecModuleMutation, closing credential gaps for Workflow Studio, billing flows, and GitHub automations.
    • Surfaced SecureKey-backed usage stats and category filters to mirror workflow coverage dashboards.
  • Tests & Docs
    • Added IntegrationAccountConsole.test.tsx with RTL coverage for hero render, category filtering, and modal orchestration.
    • Authored Workflow Engine/integration-account-console.mdx detailing setup, security posture, and related workflow artifacts.

2025-09-06

  • Added local Ehcache 3 (JCache) configuration and Spring Cache wiring for high‑value hot paths.
  • Introduced sidByUsername cache for AclSid lookups via AclSidLookupService.
  • Added micro‑TTL permissionDecisions cache for AclService.hasPermission(...) decisions.
  • Reduced KMSSecureFieldAspect logging to WARN by default in production settings.
  • Included unit test for AclSidLookupService caching behavior.

2025-09-07

  • Fix: LLM Chat SYSTEM principal crash
    • Updated thorapi ACL to handle non-UUID principals safely.
    • ValkyrACL.resolveAuthenticatedPrincipalId now treats SYSTEM/anonymousUser case-insensitively and only parses UUID-looking strings.
    • Prevents Invalid UUID string: SYSTEM during LLM chat secure-field reads when running as SYSTEM.
  • Hardening: SystemSidInitializer idempotency
    • Both thorapi and valkyrai SystemSidInitializer set deterministic UUIDs and check by ID and name before saving.
    • Prevents duplicate SYSTEM/ADMIN/EVERYONE/AUTHENTICATED SIDs if both initializers are active.

2025-10-21

  • Feature: One-click digital product publishing pipeline

    • Added DigitalProductWorkflowProvisioner to seed a default workflow chaining DigitalFulfillmentModule, new DigitalDownloadNotificationModule, and MailtrapSendModule for automated delivery email.
    • DigitalFulfillmentService.prepareDigitalProduct now auto-attaches the workflow, marks products available immediately, and returns automation metadata for the UI.
    • Introduced refreshDownloadLink helper used by notification workflows to rotate tokens without creating duplicate access rows.
    • Created DigitalDownloadNotificationModule ExecModule to compose email payloads and forward download access IDs to downstream mail modules.
  • Feature: Digital product quick publish UX

    • Added DigitalProductQuickCreatePanel to the File Record console for single-click promotion of scanned uploads to the product catalog.
    • Added RTK Query DigitalProductService + UI tests; integrates automation summary in success state so operators understand the workflow chain.
  • Tests

    • New unit suites for DigitalProductWorkflowProvisioner and DigitalDownloadNotificationModule plus RTL coverage for the quick create panel.

2025-09-08

  • Fix: Replace javax.servlet with jakarta.servlet in OpenAPI templates

    • Updated apiDelegate.mustache to use jakarta.servlet.http.HttpServletRequest.
    • Updated modelTest.mustache imports to jakarta.servlet.http.HttpServletRequest.
    • Regenerated API code for valkyrai; compile errors referencing javax.servlet.http resolved.
    • Added defensive null checks in ApiUtil.setExampleResponse and now pass HttpServletResponse via ServletRequestAttributes to avoid NPE during example response rendering.
  • Feature: Lightweight per-entity stats endpoint and secured repository convenience queries

    • Added derived Spring Data methods to every *PageableRepository:
      • count(), countByOwnerId(UUID ownerId), countByCreatedDateAfter(OffsetDateTime), countByLastModifiedDateAfter(OffsetDateTime), findTopByOrderByCreatedDateDesc()
    • Added GET /v1/<Entity>/stats endpoint per API interface returning JSON stats:
      • count, ownedCount, createdLast24h, modifiedLast24h, latestCreatedAt
    • Implemented in delegates with @PreAuthorize("hasRole('EVERYONE') or hasRole('ADMIN')") and user-scoped cache keys.
  • Change: Relationship fetch based on requiredness

    • In generated JPA models, associations now use:
      • fetch = EAGER when the property is required
      • fetch = LAZY when the property is optional
    • For @ManyToOne, optional and @JoinColumn(nullable=...) mirror required.
    • Keeps payloads lean while eagerly resolving mandatory links.
  • Fix: Stable JSON for Hibernate lazy proxies

    • Added Jackson Hibernate datatype support for lazy-loaded entity serialization.
    • Disabled forced lazy loading; serialize identifiers for uninitialized proxies.
    • Added Jackson mixins to ignore hibernateLazyInitializer/handler on proxies.
    • Resolves ByteBuddy proxy serialization failures on Application.openAPISpec.
  • Feature: Pimped ExecModules (Email + Stripe)

    • Added comprehensive Javadoc for MailtrapSendModule, EmailModule, and StripeCheckoutModule (inputs, outputs, env, error codes).
    • New docs page: Stripe module covering setup and usage.
    • UI: Palette icons now include Stripe via react-icons/si (SiStripe).
    • UI: Palette fetch hardened to accept API responses as either ["Class"] or [{ className: "Class" }].
    • UI: Module picker shows friendly names for Stripe and Email modules when name is unset.
    • Tests: Added StripeCheckoutModuleTest covering input validation and error branches.