github HKUDS/DeepTutor v1.4.10
on GitHub

5 hours ago

DeepTutor v1.4.10 Release Notes

Release Date: 2026.06.21

A deployment-and-account follow-up to v1.4.9: a self-service
profile page with avatars, a hardened container story you can run rootless
behind a single port, and tighter MCP tool access in multi-user deployments.
Drop-in for everyone — the one behavior change is scoped to non-admin users in
multi-user mode.

Heads-up for multi-user deployments. MCP tools are now deny-by-default
for non-admin users: a regular user can no longer discover or load
deployment-wide MCP host tools until an admin grants the specific tool names
in their grant. Admins stay unrestricted, and single-user / no-auth installs
are unaffected (their session runs as admin). Nothing migrates and nothing
breaks on upgrade — if your non-admins need MCP tools, grant the names in the
user's grant.

What's New

Profile page with avatars

Every signed-in user gets a self-service Profile page: pick a built-in icon
(with a color) or upload your own image as an avatar, see your account and role,
and sign out. Your avatar then shows up in the sidebar, and an admin ring marks
admin accounts at a glance.

Run DeepTutor in a container, rootless-ready

A new CONTAINERIZATION.md
guide covers three shapes — plain docker run, docker compose with the
PocketBase sidecar, and a hardened rootless Podman path (compose.yaml,
read-only root filesystem, tmpfs system dirs) — plus a .env.example to start
from. The frontend now proxies /api/* and /ws/* to the backend at request
time, so the browser only ever talks to one port (:3782): no API URL baked
into the JS bundle, no startup sed. Map a single port and you're done.

Tighter MCP tool access in multi-user mode

As noted above, non-admin users now fail closed on MCP tools until an admin
grants the names. The grant editor surfaces MCP tool grants alongside the
built-in tool whitelist, so you can see and set exactly what each user can reach.

Quieter logs

Routine 200s — the chatty frontend polling of /settings, /tools,
/knowledge/list, and friends — no longer flood the console. uvicorn's
per-request access log is now disabled on every launch path (deeptutor start, the launcher, and the Docker entrypoint), and a single middleware
surfaces only non-200s, the ones actually worth seeing.

Fixes

  • Client auth state resolves at request time through the new proxy, which also
    sizes the request body for uploads (avatar images, attachments).
  • Avatar rendering falls back safely for unknown colors instead of turning
    invisible; the auth-status fetch is de-duplicated.
  • docker-compose.yml PocketBase mount path corrected.

Upgrade Notes

Drop-in from v1.4.9: pip install -U deeptutor; Docker users pull
ghcr.io/hkuds/deeptutor:latest. No migrations, no configuration changes.
Multi-user deployments only: if your non-admin users rely on MCP tools,
grant the specific tool names per user — they fail closed until you do.

Full Changelog: v1.4.9...v1.4.10

Check out latest releases or
releases around HKUDS/DeepTutor v1.4.10

Don't miss a new DeepTutor release

NewReleases is sending notifications on new releases.

Get notifications