Tenant RBAC headline release: 4-tier role matrix (Owner/Admin/
Contributor/Viewer), per-KB resource ownership, per-tenant audit
log, tenant member management, self-service workspaces.
Also: CLI v0.3/v0.4 GA, KB retrieval fan-out across vector stores,
AES-256-GCM credential at-rest, docreader gRPC TLS+Token, Zhipu
embedding, Huawei OBS, vLLM URL for MinerU, Apache Doris compat
modes, server-side user preferences, Go 1.26.0.
See CHANGELOG.md for the full list.
docs(rbac): wire RBAC screenshots into READMEs and RBAC guide
- README.md / README_CN.md / README_JA.md / README_KO.md: replace the
single member-management thumbnail under the v0.6.0 RBAC highlight
with a 2×2 showcase (member management, workspace switcher,
self-service workspace creation, pending invitations).
- docs/RBAC说明.md: add the member-management screenshot to the
existing 前端实际界面 showcase so the guide is self-contained
and no longer cross-references README for it.
feat(rbac-ui): link tenant member page to RBAC guide
Add an inline doc-link in the Tenant Members settings page that
opens docs/RBAC说明.md on GitHub in a new tab, complementing the
existing in-app role-matrix popover. New i18n key
tenantMember.learnRbacGuide covered for zh-CN / en-US / ko-KR /
ru-RU.
Bump version to v0.5.2 across VERSION, Helm chart, frontend package
files, and cloud-image script comment. Update CHANGELOG and all four
language READMEs with v0.5.2 highlights (Wiki Mode at scale, MCP
human-in-the-loop approval, new LLM/vector/storage/search backends,
adaptive 3-tier chunking, global command palette, CLI preview, etc.).
Bump version to 0.5.1 across VERSION, frontend package files, and
Helm chart, and refresh CHANGELOG plus the four-language README
"Latest Updates" section to merge v0.5.1 highlights with the v0.5.0
core feature set.
The Secret template defaulted both keys to randAlphaNum 32, which Helm
re-rolls on every template render. As a result, any `helm upgrade`
without explicit secrets.systemAesKey / secrets.tenantAesKey rotated
the keys, breaking decryption of every previously encrypted field
(tenants.api_key, model API keys, vector store credentials, web
search provider keys, WeKnoraCloud.AppSecret) and surfacing
"enc:v1:..." ciphertext in the UI.
Use Helm's `lookup` to reuse the values stored in the existing Secret
when one is already present, falling back to randAlphaNum only on
first install. Also document the recovery caveat in values.yaml so
operators understand the risk of relying on the auto-generated value.
Bump version to v0.5.0 across VERSION, frontend/package.json,
frontend/package-lock.json and helm/Chart.yaml.
Highlights:
- Wiki Mode: agent-driven Wiki knowledge system that distills raw
documents into interlinked markdown pages, with a dedicated
WikiBrowser and an interactive knowledge graph visualizing page
references and relationships.
- Observability: Langfuse tracing across the agent ReAct loop, LLM
token usage, tool calls and the asynq async pipeline.
- Customizable indexing strategy: per-knowledge-base toggles for
vector / keyword / Wiki / knowledge-graph indexing.
- Vector Store UI & per-KB binding.
- Yuque connector with full / incremental sync.
- Agent enhancements: json_repair tool, OpenMAIC Classroom skill,
multi-sheet DuckDB Excel analysis.
- Docs: refreshed READMEs (EN/CN/JA/KO), CHANGELOG, QA, regenerated
Swagger and updated architecture diagram with new Wiki/Langfuse
components.
- Added new integrations for Telegram, DingTalk, and Mattermost IM channels.
- Introduced a pluggable slash command system and a suggested questions feature for enhanced user interaction.
- Implemented VLM auto-description for images returned by MCP tools.
- Improved stability of MCP tool names and added channel tracking for knowledge entries.
- Fixed multiple bugs including empty responses when no knowledge base is configured and UTF-8 truncation issues.
- Updated documentation to reflect new features and enhancements.
- Add crypto utility (internal/utils/crypto.go) with AES-256-GCM encrypt/decrypt
using SYSTEM_AES_KEY env var, with "enc:v1:" prefix for versioned ciphertext
- Encrypt tenant API key via GORM BeforeSave/AfterFind hooks and manual
encryption in CreateTenant/UpdateAPIKey (db.Updates bypasses hooks)
- Encrypt model API key in ModelParameters Value/Scan (driver.Valuer)
- Widen api_key column from varchar(64) to varchar(256) across all DB dialects
(MySQL, ParadeDB, SQLite) and add versioned migration 000018
- Propagate SYSTEM_AES_KEY through docker-compose, Helm secrets and values
- Fix migration 000017 PL/pgSQL dollar-quoting syntax ($ -> $$)
Official Docker images (nginx, postgres, redis, paradedb) run as root
by default. Disabled runAsNonRoot and readOnlyRootFilesystem to ensure
compatibility.
Changes:
- global.podSecurityContext: removed runAsNonRoot
- global.containerSecurityContext: removed runAsNonRoot, readOnlyRootFilesystem
- Component securityContext: commented out incompatible settings
- app.image.tag: changed from "" to "latest" (versioned tags not available)
Tested on local Kubernetes cluster (k3s) with all pods running successfully.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
