Canvas Notebook v2026.5.28.6
Canvas Notebook v2026.5.28.6 is the refreshed production-ready release with the latest CodeQL security hardening included. It keeps the major v2026.5.28 release story intact: a self-hosted AI workspace with persistent agents, Studio workflows, local email OAuth, automations, integrations, and the new desktop app distribution path.
Security Update
This release adds a dedicated CodeQL hardening pass across API routes, file handling, OAuth flows, generated HTML responses, agent/session IDs, automation persistence, Studio output handling, and setup/runtime utilities.
Key fixes include:
- Escaped HTML in OAuth callback responses.
- Validated OAuth flow identifiers before using them in file paths.
- Replaced Math.random-derived session IDs with
crypto.randomUUID(). - Hardened internal HTML-to-PDF rendering origin handling.
- Tightened file/path handling in Studio, upload, output, watcher, and automation code paths.
- Updated the algorithmic-art seed template to reduce unsafe inline behavior.
Highlights From The Production Release
Desktop App Builds
Canvas Notebook ships with an Electron desktop client for macOS, Windows, and Linux. The desktop app connects to your hosted Canvas Notebook instance, checks server health, remembers the server URL, opens external links safely in the system browser, keeps native window state, and supports desktop notifications for chat activity.
Release-tag builds now upload desktop installers directly to the matching GitHub Release. Starting with this release, desktop artifact filenames use the full Canvas build version.
Smarter Agents With Persistent Memory
Agents can use a dedicated persistent memory layer instead of ad-hoc file writes. Canvas Notebook stores curated agent and user memory under the agent storage model, keeps session summaries separate from long-term memory, and adds guardrails around memory size, duplicates, and secret-like content.
The agent runtime also includes session search and delegated ephemeral worker tasks, so agents can retrieve previous work and split focused subtasks while the main conversation stays coherent.
Production-Ready Self-Hosted Workspace
Canvas Notebook remains container-first: install once, keep /data persistent, and update from the host with canvas-notebook update. This release line also includes stronger stale-request handling, managed license certificate fetching, license activation copy improvements, and Node 24-ready GitHub Actions.
Local Email OAuth And Integrations
Local Google and Microsoft email OAuth can be configured from the app in addition to managed mode. Email account, draft, send, search, and policy routes are wired through the local service layer, with credentials managed through the integrations settings area.
Studio Workflow Improvements
Studio includes a reworked add-reference dialog, better mobile reference previews, fixed output downloads, and smoother handling for creative image/video/audio workflows.
What's Included
- CodeQL security hardening across server routes and runtime helpers
- Full-version desktop artifact filenames
- Electron desktop shell for hosted Canvas Notebook instances
- Native desktop chat notifications
- Release asset upload for desktop installers
- Persistent agent memory tool and storage model
- Session search and delegated worker tools
- Local Google/Microsoft email OAuth service support
- Studio reference and output workflow fixes
- Node 24-ready GitHub Actions
- CLI/package/electron build version
2026.5.28.6
Upgrade Notes
For server installs, use the existing host CLI:
canvas-notebook updateYour workspace, database, skills, agent files, and secrets remain under /data and survive container updates.
Desktop downloads are attached to this release after the platform builds complete. The desktop app is a native shell for an already hosted Canvas Notebook instance; it does not store workspace data locally as the source of truth.
Validation
npm run lintnpm run build- Workflow YAML parse check
- CLI version injection check
Changelog
Full changelog since the previous release candidate: v2026.5.28.5...v2026.5.28.6
Feature-wave changelog since the last detailed 2026.5.28 release: v2026.5.28.1...v2026.5.28.6
Full Changelog: v2026.5.28.5...v2026.5.28.6