v1.15.4

What's Changed

• Revert PR #116 — restore /analytics page (v1.15.3 broke prod) by @jpr5 in #117
• Release v1.15.4 — re-ship v1.15.3 analytics changes with fixed SQL + defensive Promise.allSettled by @jpr5 in #118

Full Changelog: v1.15.3...v1.15.4

v1.15.3

What's Changed

• fix(indexer): strip NUL bytes before Postgres insert (unblock ag-ui-code source) by @jpr5 in #114
• Sweep NUL-byte sanitization across non-chunk writers and chunk read paths by @jpr5 in #115
• Release v1.15.3 — analytics view: blocked filter + Blocked Queries panel + Pacific timestamps by @jpr5 in #116

Full Changelog: v1.15.2...v1.15.3

v1.15.2

What's Changed

• docs: v1.15 OAuth consent flow, new env var, WWW-Authenticate RFC 9728/6750 by @jpr5 in #110
• ci: bump deploy-pages.yml actions to Node 24 (pre-Sep 2026 deprecation) by @jpr5 in #111
• Release v1.15.2 — abuse query-pattern blocklist + query_log IP/UA attribution by @jpr5 in #113

Full Changelog: v1.15.1...v1.15.2

v1.15.1

What's Changed

• Wire RFC 9728 resource_metadata discovery into Bearer 401 + observability by @jpr5 in #107
• Release v1.15.1 — RFC 9728 resource_metadata + RFC 6750 conformance by @jpr5 in #109

Full Changelog: v1.15.0...v1.15.1

v1.15.0

What's Changed

• Pathfinder gap-report remediation: hybrid search + docs repoint + ag-ui sources + chunker/durability by @jpr5 in #93
• Admin access: unified privileged-surface auth + admin-ops control surface + Atlas hardening by @jpr5 in #97
• Atlas ratification robustness + admin control surface operator docs by @jpr5 in #98
• Monthly Pathfinder gap-analysis automation by @jpr5 in #96
• Fix Atlas incremental-indexing precision (microsecond high-water binds) + null-state-token window by @jpr5 in #99
• Mount the harvest driver as the atlas harvest verb by @jpr5 in #101
• Route GET /api/search and prove the harvest end-to-end by @jpr5 in #102
• Atlas seed-harvest pipeline (Tier 1-3, approval artifact, sync) by @jpr5 in #100
• Fix atlas state-token precision stranding approved seeds by @jpr5 in #104
• Document the atlas harvest sandbox runbook by @jpr5 in #103
• OAuth phishing-resistance: consent screen, HMAC nonce, redirect policy, client cap by @jpr5 in #106
• Release v1.15.0 — OAuth phishing-resistance hardening by @jpr5 in #108

Full Changelog: v1.14.0...v1.15.0

v1.14.0

What's Changed

• ci(deps): bump zizmorcore/zizmor-action from 0.5.4 to 0.5.6 in the minor-and-patch group by @dependabot[bot] in #81
• chore: Configure Renovate by @renovate[bot] in #85
• ci(deps): bump the minor-and-patch group with 2 updates by @dependabot[bot] in #89
• Centralize Slack notifications on org-level SLACK_WEBHOOK_OSS_ALERTS secret by @jpr5 in #92
• Atlas foundation: codebase-knowledge layer in Pathfinder (off-by-default) by @jpr5 in #94
• Release @copilotkit/pathfinder 1.14.0 (atlas CLI) by @jpr5 in #95

New Contributors

• @renovate[bot] made their first contribution in #85

Full Changelog: v1.13.3...v1.14.0

v1.13.3

What's Changed

• Add dedup to reindex audit Slack alerting by @jpr5 in #61
• Only alert on unreleased commits older than 24h by @jpr5 in #62
• Harden publish-release.yml: split build and publish into separate jobs by @jpr5 in #63
• Fix git credentials in publish job for tag push by @jpr5 in #64
• Harden real-time re-indexing pipeline by @jpr5 in #65
• ci: harden CI/CD security by @jpr5 in #66
• ci(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.4 in the minor-and-patch group by @dependabot[bot] in #67
• fix(ci): bump upload-pages-artifact v3 to v5 with include-hidden-files by @jpr5 in #77
• ci(deps): bump actions/checkout from 4.3.1 to 6.0.2 by @dependabot[bot] in #70
• ci(deps): bump docker/build-push-action from 5.4.0 to 7.1.0 by @dependabot[bot] in #76
• ci(deps): bump actions/cache from 4.3.0 to 5.0.5 by @dependabot[bot] in #75
• ci(deps): bump actions/setup-node from 4.4.0 to 6.4.0 by @dependabot[bot] in #74
• ci(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by @dependabot[bot] in #73
• ci(deps): bump actions/deploy-pages from 4.0.5 to 5.0.0 by @dependabot[bot] in #72
• ci(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #71
• ci(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 by @dependabot[bot] in #69
• Quiet #oss-alerts: failure-only deploy notifications, daily unreleased check by @jpr5 in #78
• fix(ci): strip @mentions from dependabot major version analysis comments by @jpr5 in #79
• Harden CI: npm auth, git scope, JSON injection, timeouts by @jpr5 in #80

New Contributors

• @dependabot[bot] made their first contribution in #67

Full Changelog: v1.13.2...v1.13.3

v1.13.2

What's Changed

• Add response compression for all HTTP endpoints by @jpr5 in #58
• Fix stale chunk cleanup in fullAcquire by @jpr5 in #59
• Post-reindex health audit with Slack alerting by @jpr5 in #60

Full Changelog: v1.13.1...v1.13.2

v1.13.1

What's Changed

• Enable JSON responses on Streamable HTTP for Codex CLI compatibility by @jpr5 in #57

Full Changelog: v1.13.0...v1.13.1

v1.13.0

What's Changed

• debug: detailed OAuth request logging by @jpr5 in #33
• OAuth: add refresh token, client secret, metadata fields for claude.ai compat by @jpr5 in #34
• Add legacy SSE transport at /sse for claude.ai web connector by @jpr5 in #35
• docs: OAuth + SSE transport for Pathfinder users by @jpr5 in #36
• Fix analytics-server test path resolution by @jpr5 in #32
• docs: reorder Authentication section in config reference by @jpr5 in #37
• Analytics: date range picker with custom range + chart bar click by @jpr5 in #38
• Analytics: fix stats/charts not updating + Today preset by @jpr5 in #39
• Harden analytics subsystem by @jpr5 in #40
• Suppress spurious bash-fs startup warning for repo-backed sources by @jpr5 in #41
• Rate limiter: IP allowlist + descriptive rejection payloads by @jpr5 in #42
• Drift cleanup from PR #42 CR rounds (sample) by @jpr5 in #43
• Pathfinder drift cleanup by @jpr5 in #44
• Analytics time-window correctness: gap-fill, URL persistence, and data-availability label by @jpr5 in #45
• feat: add aimock-docs Pathfinder config by @mxmzb in #48
• Add cross-navigation footer by @jpr5 in #49
• Add index health monitor workflow by @jpr5 in #50
• Fix og:image for social platform compatibility by @jpr5 in #51
• feat: forward MCP session events to telemetry-sink lambda by @BenTaylorDev in #52
• Regenerate og:image PNG to match diamond favicon by @jpr5 in #53
• chore(docs): add RB2B + Reo + PostHog pixels to docs site by @BenTaylorDev in #54
• fix(analytics): dashboard predicate, tab dedup, chart a11y, ISO timestamps by @samjulien in #55
• Session hardening: global cap, two-tier TTL, lazy workspace by @jpr5 in #56

New Contributors

• @mxmzb made their first contribution in #48
• @BenTaylorDev made their first contribution in #52
• @samjulien made their first contribution in #55

Full Changelog: v1.12.0...v1.13.0