-
v1.2.0 - Auth and Users Stable
released this
2026-05-08 22:15:20 +02:00 | 276 commits to main since this releasev1.2.0 - Auth and Users
Release Date: 2026-05-08
Milestone: v1.2.0 (Auth and Users)
This milestone delivers a complete authentication and user management system with modern password hashing and JWT-based stateless authentication. All API endpoints now require authentication, providing a secure foundation for multi-user platform access.
Added
User Management with Argon2id Password Hashing
- PasswordHashingService using Argon2id algorithm for secure password storage
- 64MB memory requirement (m=65536)
- 3 iterations (t=3)
- Parallelism factor of 1 (p=1)
- Argon2id variant for resistance to both GPU cracking attacks and side-channel attacks
- Bouncy Castle provider (bcprov-jdk18on 1.78.1) for Argon2 implementation
- Constant-time hash comparison to prevent timing attacks
- PHC string format:
$argon2id$v=19$m=65536,t=3,p=1$[salt]$[hash]
User CRUD APIs
-
UserController REST endpoints:
GET /api/users- List all usersGET /api/users/{id}- Get user by IDPOST /api/users- Create new user with password hashingPATCH /api/users/{id}- Update user (username, email, role)PATCH /api/users/{id}/password- Change user passwordDELETE /api/users/{id}- Delete user
-
UserService enhancements:
create(user, plainPassword)- Hash password and create userupdate(id, updates)- Update user with change trackingupdatePassword(id, newPlainPassword)- Securely change password- Username and email uniqueness validation
- Structured logging for all user operations (create, update, password change, delete)
- Change tracking for user updates (before/after values logged)
-
DTOs:
UpdatePasswordRequest- Password change request validationUpdateUserRequest- User update with email and role validation
JWT Infrastructure
-
JJWT library version 0.12.6 for JWT token management
- jjwt-api - JWT API
- jjwt-impl - JWT implementation
- jjwt-jackson - Jackson integration for JSON serialization
-
JwtService for token generation and validation:
generateAccessToken(userId, username, role)- Create short-lived access tokengenerateRefreshToken(userId)- Create long-lived refresh tokenparseToken(token)- Parse and validate JWT claimsisTokenValid(token)- Check token validity and expiration- Extract userId, username, role, and token type from tokens
- Access tokens valid for 15 minutes (configurable via
jwt.access-token-validity-ms) - Refresh tokens valid for 7 days (configurable via
jwt.refresh-token-validity-ms) - Tokens signed with HS256 (HMAC-SHA256) algorithm
- JWT secret configurable via
jwt.secretproperty (MUST change in production)
-
Token Claims:
sub(subject) - User IDusername- Usernamerole- User role (OWNER, ADMIN, USER, VIEWER)type- Token type (access or refresh)iat- Issued at timestampexp- Expiration timestamp
Authentication Endpoints
-
AuthenticationService:
login(username, password)- Authenticate user and generate tokensrefreshToken(refreshToken)- Generate new access token from refresh token- Password verification using PasswordHashingService
- Structured logging for login attempts (success and failure)
- Structured logging for token refresh operations
- BadCredentialsException for invalid credentials or tokens
-
AuthenticationController REST endpoints:
POST /api/auth/login- User login with username and passwordPOST /api/auth/refresh- Refresh access token using refresh token
-
DTOs:
LoginRequest- Login credentials validationRefreshTokenRequest- Refresh token validationAuthenticationResponse- Login/refresh response with tokens and user info
JWT Authentication and Authorization
-
JwtAuthenticationFilter:
- Extracts JWT from
Authorization: Bearer <token>header - Validates token signature and expiration
- Only accepts access tokens (rejects refresh tokens)
- Populates Spring Security context with user information
- Creates
UsernamePasswordAuthenticationTokenwith user ID as principal - Attaches
JwtAuthenticationDetailswith userId, username, and role - Grants
ROLE_<role>authority for role-based authorization - Silently skips authentication for invalid/expired tokens (401 returned by framework)
- Extracts JWT from
-
SecurityContextHelper utility:
getCurrentUserId()- Get current authenticated user IDgetCurrentUsername()- Get current authenticated usernamegetCurrentUserRole()- Get current authenticated user roleisAuthenticated()- Check if user is authenticatedhasRole(role)- Check if user has specific role
-
SecurityConfig enhancements:
- CSRF protection disabled (stateless JWT authentication)
- Stateless session management
- Method-level security enabled with
@EnableMethodSecurity - Public endpoints:
/api/auth/**,/api/health,/actuator/** - All other
/api/**endpoints require authentication - JWT filter registered before
UsernamePasswordAuthenticationFilter
Security Features
-
Role-Based Access Control:
- User roles: OWNER, ADMIN, USER, VIEWER
- Spring Security authorities with
ROLE_prefix - Method security annotations supported:
@PreAuthorize,@Secured,@RolesAllowed
-
Security Logging:
- Login success and failure events
- Token refresh events
- User creation, updates, password changes, deletion
- Failed login attempts logged with reason for security monitoring
Changed
-
BREAKING CHANGE: All API endpoints now require authentication except:
/api/auth/**- Authentication endpoints/api/health- Health check endpoint/actuator/**- Spring Boot Actuator endpoints
-
User Management: All user operations now use Argon2id instead of BCrypt
- Existing BCrypt hashes incompatible (users must reset passwords)
Security Notes
-
Production Deployment:
- MUST change
jwt.secretproperty in production (default is for development only) - Recommended JWT secret length: at least 256 bits (32 characters) for HS256
- Consider using environment variables for secret management
- MUST change
-
Token Security:
- Access tokens are short-lived (15 minutes) to limit exposure window
- Refresh tokens are long-lived (7 days) but minimal (only userId and type)
- Only access tokens contain sensitive claims (username, role)
- Tokens are stateless - no server-side session storage required
-
Password Security:
- Argon2id with 64MB memory makes brute-force attacks computationally expensive
- Constant-time comparison prevents timing attack exploitation
- Salt is randomly generated per password (16 bytes)
- Hash output is 32 bytes
Configuration
New configuration properties:
jwt: secret: "CHANGE_ME_IN_PRODUCTION_THIS_MUST_BE_AT_LEAST_256_BITS_LONG_FOR_HS256" access-token-validity-ms: 900000 # 15 minutes refresh-token-validity-ms: 604800000 # 7 daysMigration Guide
For API Clients
All API requests (except auth endpoints) now require authentication:
# 1. Login to get tokens curl -X POST http://localhost:8080/api/auth/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": "password"}' # Response: {"accessToken": "...", "refreshToken": "...", "userId": "...", "username": "admin", "role": "ADMIN"} # 2. Use access token for authenticated requests curl http://localhost:8080/api/users \ -H "Authorization: Bearer <accessToken>" # 3. Refresh access token when expired curl -X POST http://localhost:8080/api/auth/refresh \ -H "Content-Type: application/json" \ -d '{"refreshToken": "<refreshToken>"}'For Developers
Access current user in Spring components:
@Service public class MyService { private final SecurityContextHelper securityHelper; public void myMethod() { UUID userId = securityHelper.getCurrentUserId(); String username = securityHelper.getCurrentUsername(); String role = securityHelper.getCurrentUserRole(); if (securityHelper.hasRole("ADMIN")) { // Admin-only logic } } }Use method security annotations:
@PreAuthorize("hasRole('ADMIN')") public void adminOnlyMethod() { // Only ADMIN role can call this } @PreAuthorize("hasAnyRole('ADMIN', 'OWNER')") public void privilegedMethod() { // ADMIN or OWNER can call this }Technical Details
-
Dependencies:
- Spring Boot Starter Security 4.0.0
- JJWT 0.12.6 (jjwt-api, jjwt-impl, jjwt-jackson)
- Bouncy Castle bcprov-jdk18on 1.78.1
-
Database Schema: Uses existing
userstable from v1.0.0password_hashcolumn stores Argon2id hashes in PHC format
-
Logging: All authentication and user management operations logged to
system_logstable- Categories: AUTH, API
- Events: USER_CREATED, USER_UPDATED, PASSWORD_UPDATED, USER_DELETED, LOGIN_SUCCESS, LOGIN_FAILED, TOKEN_REFRESHED
Included Patches
This milestone includes development patches v1.0.7-dev through v1.0.10-dev:
- v1.0.7-dev: User CRUD with password hashing (initially BCrypt)
- v1.0.8-dev: JWT infrastructure (JwtService, AuthenticationService)
- v1.0.9-dev: Switch from BCrypt to Argon2id
- v1.0.10-dev: JWT authentication filter and authorization enforcement
Known Limitations
- Single JWT secret for all tokens (consider key rotation in future)
- No token revocation mechanism (tokens valid until expiration)
- No password complexity requirements enforced (validation in future)
- No rate limiting on login attempts (future enhancement)
- No account lockout after failed login attempts (future enhancement)
Next Steps
The next milestone (v1.3.0) will focus on Model Providers, implementing:
- Model provider registry and configuration
- Ollama provider integration
- OpenAI provider integration
- Anthropic provider integration
- Provider health checks and fallback mechanisms
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- PasswordHashingService using Argon2id algorithm for secure password storage
-
released this
2026-05-08 21:27:12 +02:00 | 287 commits to main since this releasev1.0.0 - Initial Runnable Platform Release
v1.0.0is the first runnable SYNAPSE baseline. It turns the planning repository into a local platform runtime with a Spring Boot backend, Vue dashboard, PostgreSQL migrations, structured logs, Docker Compose orchestration, and concrete runtime API checks.Added
- Complete documentation scaffold for architecture, agents, teams, AI-Firm, plugins, store, bundles, logging, theming, installer, CLI, ACP, MCP, skills, heartbeat, self-learning, multi-user support, Git providers, custom commands, ECHO, and API reference.
- Root project documentation, contribution guidance, MIT license, build-step checklist, implementation roadmap, and release tracking.
- PostgreSQL schema and seed data for the platform foundation.
- Agent identity files for Main Agent, ECHO, AI-Firm CEO, and reusable templates.
- Plugin templates for channels, model providers, skills, MCP, and Telegram.
- Store registry, bundle specification, store specification, and plugin submission guide.
- Unix/macOS and Windows installer scripts.
- Docker Compose quick/dev and production stacks.
- Spring Boot backend runtime under
packages/core. - Vue/Vite dashboard runtime under
packages/dashboard/frontend. - Backend APIs for health, file-defined agents, and structured logs.
- Flyway migration files and explicit migration execution during backend startup.
- Nginx API proxying for the packaged dashboard container.
- Roadmap label and milestone release workflow support.
Fixed
- Corrected README documentation links and project structure references.
- Normalized text file line endings across project file types.
- Made the backend health API independent of Actuator internals.
- Updated Docker Compose PostgreSQL 18 volume handling.
- Added PostgreSQL and Redis health checks for deterministic backend startup.
- Filtered runtime agent listing so scaffold templates are not exposed as concrete agents.
Validated
- Backend Docker image builds successfully.
- Dashboard Docker image builds successfully.
- Docker Compose config validates for quick/dev and production files.
- Local runtime starts PostgreSQL, Redis, Qdrant, backend, and dashboard.
GET /api/healthresponds through backend port8080.GET /api/healthresponds through dashboard proxy port3000.GET /api/agentsreturns concrete runtime agents.GET /api/logsreturns persisted structured startup logs.
Deferred To V2
- Live chat runtime and model invocation.
- Ollama/OpenAI/Anthropic provider execution paths.
- Realtime delivery through SSE or WebSocket.
- User authentication and role enforcement.
- Plugin installation and lifecycle management.
- Store-backed plugin and bundle installation.
- Full dashboard management workflows.
- CLI implementation against backend APIs.
- CI hardening beyond local Docker validation.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.10.0 - Hardening Pre-release
released this
2026-05-08 20:45:46 +02:00 | 294 commits to main since this releasev0.10.0 - Hardening
Added
- Added the hardening report with file-count verification, critical-file status, validation notes, and quality-rule notes.
Fixed
- Corrected README documentation links to match the actual documentation file names.
- Corrected the README project structure to point at
installer/compose/instead of a root Compose file.
Notes
v0.10.0closes the initial implementation-roadmap pass.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.9.0 - Runtime Delivery Pre-release
released this
2026-05-08 20:43:14 +02:00 | 295 commits to main since this releasev0.9.0 - Runtime Delivery
Added
- Added runtime delivery documentation for WebSocket, SSE, polling fallback, dashboard blocks, operator paths, and failure rules.
- Documented that runtime transport failures never activate ECHO automatically.
Notes
v0.9.0closes the runtime delivery milestone.- The next milestone is
v0.10.0, focused on hardening and final quality checks.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.8.0 - CLI Contract Pre-release
released this
2026-05-08 20:41:51 +02:00 | 296 commits to main since this releasev0.8.0 - CLI Contract
Added
- Added the CLI reference with global flags, command tree, TUI views, Main Agent path, manual path, and logging behavior.
- Linked the API reference to the dedicated CLI contract.
Notes
v0.8.0closes the CLI specification milestone.- The next milestone is
v0.9.0, focused on runtime delivery and observability.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.7.0 - Installer Pre-release
released this
2026-05-08 20:40:12 +02:00 | 297 commits to main since this releasev0.7.0 - Installer
Added
- Added Unix/macOS shell installer with interactive prompts and Docker Compose startup.
- Added Windows PowerShell installer with equivalent prompt and Compose behavior.
- Added quick/dev Docker Compose file for PostgreSQL, Redis, Qdrant, and optional Ollama.
- Added production Docker Compose file with restart policies and internal networking.
Notes
v0.7.0closes the installer milestone.- The next milestone is
v0.8.0, focused on the CLI command contract.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.6.0 - Documentation Set Pre-release
released this
2026-05-08 20:37:00 +02:00 | 298 commits to main since this releasev0.6.0 - Documentation Set
Added
- Added the missing subsystem docs for agents, teams, AI-Firm, heartbeat, skills, MCP, ACP, bundles, multi-user, logging, theming, ECHO, git providers, custom commands, and API reference.
- Documented Main Agent and manual paths for creatable and configurable subsystems.
- Added logging categories, API endpoints, and operator guidance required by the build-step checklist.
Notes
v0.6.0closes the documentation milestone.- The next milestone is
v0.7.0, focused on installers and Compose bootstrap files.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.5.0 - Store and Bundle System Pre-release
released this
2026-05-08 20:33:57 +02:00 | 299 commits to main since this releasev0.5.0 - Store and Bundle System
Added
- Added an example store registry with official, community, skills.sh, and ACP sources.
- Added example plugin, bundle, and statistics entries for store cache structure.
- Added the plugin and bundle submission guide covering Official Store, Community Store, skills publishing, manual installs, and logging.
- Completed the store file count required by the original build steps.
Notes
v0.5.0closes the store milestone.- The next milestone is
v0.6.0, focused on completing the documentation set.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.4.0 - Plugin Templates Pre-release
released this
2026-05-08 20:30:55 +02:00 | 300 commits to main since this releasev0.4.0 - Plugin Templates
Added
- Added the Ollama model provider manifest.
- Added the skills plugin manifest template and Claude Code Skills format template.
- Added the MCP server manifest template with stdio, HTTP, tool policy, and logging fields.
- Completed the plugin template file count required by the original build steps.
Notes
v0.4.0closes the plugin template milestone.- The next milestone is
v0.5.0, focused on the store and bundle system.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v0.3.0 - Agent Identity Layer Pre-release
released this
2026-05-08 20:28:58 +02:00 | 301 commits to main since this releasev0.3.0 - Agent Identity Layer
Added
- Added the AI-Firm example configuration with Paperclip mode routing, singleton constraints, and AI_FIRM logging events.
- Added Firm CEO identity, soul, and system prompt files.
- Completed the missing Step 10 agent files from the original build steps.
Notes
v0.3.0closes the agent identity milestone.- The next milestone is
v0.4.0, focused on plugin templates and provider integration.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads