This is a beta pre-release in the 0.8.0 line. Changes since v0.8.0b2:
Added
- MCP file upload now records and can verify a SHA-256 of the uploaded bytes.
The/files/ulroute computes the digest of exactly the received bytes and
stores it in the completion record ({source_id, name, size, mime, sha256}),
whichawait_uploadsurfaces. An optional?sha256=<hex>lets a client assert
transit integrity — a mismatch returns a clean400before the source is added
(the single-use token rolls back and stays retryable)
(#1889). - MCP
await_uploademits progress keepalives while it polls, so an MCP host
no longer treats a long upload wait as a stalled call (ctx.report_progressat
start and on each ~2s tick; best-effort, and a no-op without a client progress
token) (#1889). - MCP remote
studio_downloadreturns the report / data-table body inline
(bounded, alongside the signed link) so a remote host can read a generated
report without a second fetch
(#1911). studio_statusreportsmedia_ready,studio_downloadreports
size_bytes, andstudio_retryraises an actionable error when an artifact
can't be retried, instead of a bare failure
(#1924).- Deploy quick start for end users: the shipped Compose defaults to the
:latestimage, and each release now attaches a version-baked
docker-compose.yml+env.example
(#1904).
Changed
- MCP: the standalone
studio_get_prompttool was folded intostudio_list
(net −1 tool, ADR-0025 tool-surface consolidation). Each artifact's
generation_prompt(the free-text prompt it was generated from,nullwhen it
records none) now rides the defaultstudio_listsummary listing, and
studio_list(item=<artifact>)returns it for a single artifact resolved by id or
exact title (the unified cross-type Studio resolver, asstudio_delete/
studio_renameuse — not the old artifact-scoped title-prefix resolver). The
prompt is decoded from the sameLIST_ARTIFACTSrow the listing already fetches,
so this adds no extra request. The CLInotebooklm artifact get-promptcommand
is unchanged.
(#1896) - The in-app upload widget's token pool gets a longer (1h) TTL. The widget
mints one single-use token per file up front but uploads them sequentially, so
a later file in a large batch could hit an expired token mid-upload; the pool
now usesWIDGET_UPLOAD_TTLinstead of the 15-minute default. The single-use /
signed-token model is unchanged
(#1894).
Fixed
- MCP
notebook_describe(include_metadata=true)no longer reports a source
count that disagrees with its ownsourceslist. The exposed
metadata.notebook.sources_countis now re-projected to the enumerated
(id-bearing, deduped) source count instead of the raw unfiltered
GET_NOTEBOOKrow count, which could inflate it (e.g. 168 vs 50) and mislead
autonomous agents on quota / completeness. Source enumeration
(source_list/metadata.sources) also dedups duplicate id-bearing rows
(research re-imports, ghost/probe echoes), keeping the first occurrence
(#1919). - MCP
research_importis safe for unattended use. The tool now imports via
the timeout-tolerantimport_sources_with_verification(as the CLI does), so a
deep-research import that times out is reconciled against what the server
actually committed instead of failing as if nothing imported (hiding a large
partial import). It also gained optionalcited_only(import only the sources
the report cites) andmax_sources(cap the count imported, applied after
cited_only) so one call can't silently blow a notebook to its source cap.
(#1920) source_addbatch mode isolates a per-URL failure instead of aborting the
whole batch: a bad URL now yields a per-itemSourceAddErrorwhile the other
sources in the same call still add, matching the tool's documented behavior
(#1905).- MCP
studio_generatefor interactive mind maps now normalizes its payload
to the bare node tree and returns a terminal poll shape, fixing malformed
generate requests and non-terminal status reports
(#1908,
#1914). - MCP
research_canceldistinguishes an already-cancelled run and surfaces
the raw status code instead of a generic failure
(#1922). - Content-sanity flags bot-challenge / WAF interstitial pages, so a source
that fetched a challenge page instead of real content is reported rather than
silently ingested as thin content
(#1929). suggest_promptsstrips a leading list marker from returned prompts, and
research_startdrops redundant ids from its result
(#1909).- The MCP server warns at startup when the upload widget is enabled but
stateless HTTP is disabled (FASTMCP_STATELESS_HTTPexplicitly falsey),
which would silently stop the widget from rendering
(#1915).
Security
- The loopback DNS-rebinding
Hostguard is no longer bypassed on a tokenless
local bind. The guard is skipped only when an external bind is opted into
and authentication (bearer or OAuth) is configured — the
ALLOW_EXTERNAL_BINDflag alone (e.g. set while--hoststays at loopback) no
longer disables it, closing a rebinding gap on an unauthenticated local server
(#1935). - Client-facing RPC errors no longer leak the obfuscated internal method id or
the raw upstream status code, trimming information disclosure in error
messages (#1931).
Full 0.8.0 cycle changelog: CHANGELOG.md. Install with pip install --pre notebooklm-py==0.8.0b3.