Important
This release candidate includes changes to the database and API. Please back up your data before upgrading.
What's Changed
-
Embedded MCP server for AI clients.
Memos now exposes an in-process MCP endpoint at/mcpusing Streamable HTTP. It accepts PATs and exposes memo CRUD, comments, attachments, relations, reactions, tag listing, prompts, and memo resources for MCP-compatible clients. -
Live updates via Server-Sent Events.
The web app now connects to/api/v1/sse, shows connection status in the user menu, and refreshes active memo views when memo, comment, and reaction events arrive. Follow-up fixes ensure comment creation no longer double-broadcasts and that attachment and relation changes emitmemo.updated. -
Share links for memos, including protected and private use cases.
Users can create and revoke memo share links from the memo detail sidebar, optionally with expiration. Shared memo access is handled through the memo detail route's share-token mode, and direct attachments on the shared memo can be fetched with that share token. Invalid, expired, or archived shares resolve as not found. -
Tag metadata became substantially more expressive.
Instance-level tag metadata now supports background colors andblur_content, and the frontend resolves tag keys as anchored regex patterns. A single rule can now style or blur a family of tags instead of only exact matches. -
Auth, privacy, and admin-safety hardening.
Session handling is more resilient through cross-tab token refresh synchronization and refresh-cookie recovery when local token state is empty. Protected memo access redirects to sign in, archived memos are creator-only, user emails are hidden from other regular users, and SMTP, S3, and OAuth credentials are now write-only with sensitive instance settings restricted to admins. -
Attachments, media, and frontend resilience improved.
Local attachment uploads no longer overwrite existing files, audio attachments render inline, image previews support arrow-key navigation, markdown imageheightandwidthattributes are preserved, and chunk-load failures after redeploys trigger an automatic reload path. -
The public
ActivityServicewas removed.
Consumers should migrate to the user notification APIs instead of depending on the old public activity endpoints. -
User resource names now use usernames.
API clients and scripts that assumed the old numeric-style user resource naming should be updated to use username-based names such asusers/alice. -
Identity provider resource names now use stable UIDs.
Integrations that persisted the previous identifier format should be reviewed before upgrading. -
The
disallow_public_visibilitysetting was removed. -
New installs default attachment storage to local filesystem.
Existing instances keep prior behavior through migration and should not silently change storage backend.
π Featured Sponsors
Warp β The AI-powered terminal built for speed and collaboration
TestMu AI - The worldβs first full-stack Agentic AI Quality Engineering platform
SSD Nodes - Affordable VPS hosting for self-hosters
New Contributors
- @ztm0929 made their first contribution in #5663
- @mostapko made their first contribution in #5669
- @biplavbarua made their first contribution in #5468
- @bad-ash made their first contribution in #5496
- @thefatcode made their first contribution in #5499
- @lilonghe made their first contribution in #5504
- @memoclaw made their first contribution in #5683
- @peteretelej made their first contribution in #5681
- @google-labs-jules[bot] made their first contribution in #5747
- @fiatcode-gh made their first contribution in #5748
- @darkestni made their first contribution in #5738
Full Changelog: v0.26.2...v0.27.0-rc.1