Added
- Added Canvas-native Excalidraw live collaboration with multi-user presence, durable scene and asset persistence, reconnect/resync handling, and agent patch review after user intervention.
- Added resilient chunked workspace uploads, workspace document previews and relations, searchable organization policy targets, and grouped chat tool batches.
- Added a complete third-party license inventory, authenticated Legal downloads, exact native source evidence, and release-bound amd64/arm64 compliance artifacts.
Changed
- Rebuilt both shipped Sharp versions against a replaceable shared libvips built from an exact source archive, and excluded all prebuilt
@img/sharp-*payloads from Docker releases. - Pinned Debian, PostgreSQL and Python runtime inputs to immutable snapshots, versions and hashes, with schema-4 runtime inventories and a pre-manifest multi-architecture evidence gate.
- Improved workspace-aware agent access, Markdown document references, chat presentation, plugin policy targeting, and upload progress handling.
Fixed
- Fixed workspace upload retries and finalization, repeated bulk folder moves, knowledge-graph document search, Markdown editor state alignment, and Marp export memory handling.
- Synchronized all transitive peer and optional dependencies in
package-lock.jsonand added a clean-install dry-run to the permanent release gate. - Bootstrapped CA certificates from the same signed Debian snapshot before switching APT to HTTPS, and replaced the redundant Debian libvips binary with explicit runtime dependencies for the source-built shared libvips.
- Kept the complete libvips development-header set in the isolated dependency stage so both Sharp versions compile against that shared library without adding development packages to the runtime image.
- Restricted Python PEP 639 license discovery to
.dist-info/licenses, preventing architecture-specific bytecode in packages namedlicensesfrom creating false multi-architecture compliance drift.
Verification
npm run verify:releasenpm run test:licensesnpx tsc --noEmit --pretty false- pip hash-resolution dry-runs for CPython 3.11 on linux/amd64 and linux/arm64
- direct SHA-256 verification of all pinned PGDG binary and source artifacts