• v1.2.0 96e5b62aef

    github-actions[bot] released this 2026-05-08 22:15:20 +02:00 | 276 commits to main since this release

    v1.2.0 - Auth and Users

    Release Date: 2026-05-08

    Milestone: v1.2.0 (Auth and Users)

    This milestone delivers a complete authentication and user management system with modern password hashing and JWT-based stateless authentication. All API endpoints now require authentication, providing a secure foundation for multi-user platform access.

    Added

    User Management with Argon2id Password Hashing

    • PasswordHashingService using Argon2id algorithm for secure password storage
      • 64MB memory requirement (m=65536)
      • 3 iterations (t=3)
      • Parallelism factor of 1 (p=1)
      • Argon2id variant for resistance to both GPU cracking attacks and side-channel attacks
      • Bouncy Castle provider (bcprov-jdk18on 1.78.1) for Argon2 implementation
      • Constant-time hash comparison to prevent timing attacks
      • PHC string format: $argon2id$v=19$m=65536,t=3,p=1$[salt]$[hash]

    User CRUD APIs

    • UserController REST endpoints:

      • GET /api/users - List all users
      • GET /api/users/{id} - Get user by ID
      • POST /api/users - Create new user with password hashing
      • PATCH /api/users/{id} - Update user (username, email, role)
      • PATCH /api/users/{id}/password - Change user password
      • DELETE /api/users/{id} - Delete user
    • UserService enhancements:

      • create(user, plainPassword) - Hash password and create user
      • update(id, updates) - Update user with change tracking
      • updatePassword(id, newPlainPassword) - Securely change password
      • Username and email uniqueness validation
      • Structured logging for all user operations (create, update, password change, delete)
      • Change tracking for user updates (before/after values logged)
    • DTOs:

      • UpdatePasswordRequest - Password change request validation
      • UpdateUserRequest - User update with email and role validation

    JWT Infrastructure

    • JJWT library version 0.12.6 for JWT token management

      • jjwt-api - JWT API
      • jjwt-impl - JWT implementation
      • jjwt-jackson - Jackson integration for JSON serialization
    • JwtService for token generation and validation:

      • generateAccessToken(userId, username, role) - Create short-lived access token
      • generateRefreshToken(userId) - Create long-lived refresh token
      • parseToken(token) - Parse and validate JWT claims
      • isTokenValid(token) - Check token validity and expiration
      • Extract userId, username, role, and token type from tokens
      • Access tokens valid for 15 minutes (configurable via jwt.access-token-validity-ms)
      • Refresh tokens valid for 7 days (configurable via jwt.refresh-token-validity-ms)
      • Tokens signed with HS256 (HMAC-SHA256) algorithm
      • JWT secret configurable via jwt.secret property (MUST change in production)
    • Token Claims:

      • sub (subject) - User ID
      • username - Username
      • role - User role (OWNER, ADMIN, USER, VIEWER)
      • type - Token type (access or refresh)
      • iat - Issued at timestamp
      • exp - Expiration timestamp

    Authentication Endpoints

    • AuthenticationService:

      • login(username, password) - Authenticate user and generate tokens
      • refreshToken(refreshToken) - Generate new access token from refresh token
      • Password verification using PasswordHashingService
      • Structured logging for login attempts (success and failure)
      • Structured logging for token refresh operations
      • BadCredentialsException for invalid credentials or tokens
    • AuthenticationController REST endpoints:

      • POST /api/auth/login - User login with username and password
      • POST /api/auth/refresh - Refresh access token using refresh token
    • DTOs:

      • LoginRequest - Login credentials validation
      • RefreshTokenRequest - Refresh token validation
      • AuthenticationResponse - Login/refresh response with tokens and user info

    JWT Authentication and Authorization

    • JwtAuthenticationFilter:

      • Extracts JWT from Authorization: Bearer <token> header
      • Validates token signature and expiration
      • Only accepts access tokens (rejects refresh tokens)
      • Populates Spring Security context with user information
      • Creates UsernamePasswordAuthenticationToken with user ID as principal
      • Attaches JwtAuthenticationDetails with userId, username, and role
      • Grants ROLE_<role> authority for role-based authorization
      • Silently skips authentication for invalid/expired tokens (401 returned by framework)
    • SecurityContextHelper utility:

      • getCurrentUserId() - Get current authenticated user ID
      • getCurrentUsername() - Get current authenticated username
      • getCurrentUserRole() - Get current authenticated user role
      • isAuthenticated() - Check if user is authenticated
      • hasRole(role) - Check if user has specific role
    • SecurityConfig enhancements:

      • CSRF protection disabled (stateless JWT authentication)
      • Stateless session management
      • Method-level security enabled with @EnableMethodSecurity
      • Public endpoints: /api/auth/**, /api/health, /actuator/**
      • All other /api/** endpoints require authentication
      • JWT filter registered before UsernamePasswordAuthenticationFilter

    Security Features

    • Role-Based Access Control:

      • User roles: OWNER, ADMIN, USER, VIEWER
      • Spring Security authorities with ROLE_ prefix
      • Method security annotations supported: @PreAuthorize, @Secured, @RolesAllowed
    • Security Logging:

      • Login success and failure events
      • Token refresh events
      • User creation, updates, password changes, deletion
      • Failed login attempts logged with reason for security monitoring

    Changed

    • BREAKING CHANGE: All API endpoints now require authentication except:

      • /api/auth/** - Authentication endpoints
      • /api/health - Health check endpoint
      • /actuator/** - Spring Boot Actuator endpoints
    • User Management: All user operations now use Argon2id instead of BCrypt

      • Existing BCrypt hashes incompatible (users must reset passwords)

    Security Notes

    • Production Deployment:

      • MUST change jwt.secret property in production (default is for development only)
      • Recommended JWT secret length: at least 256 bits (32 characters) for HS256
      • Consider using environment variables for secret management
    • Token Security:

      • Access tokens are short-lived (15 minutes) to limit exposure window
      • Refresh tokens are long-lived (7 days) but minimal (only userId and type)
      • Only access tokens contain sensitive claims (username, role)
      • Tokens are stateless - no server-side session storage required
    • Password Security:

      • Argon2id with 64MB memory makes brute-force attacks computationally expensive
      • Constant-time comparison prevents timing attack exploitation
      • Salt is randomly generated per password (16 bytes)
      • Hash output is 32 bytes

    Configuration

    New configuration properties:

    jwt:
      secret: "CHANGE_ME_IN_PRODUCTION_THIS_MUST_BE_AT_LEAST_256_BITS_LONG_FOR_HS256"
      access-token-validity-ms: 900000  # 15 minutes
      refresh-token-validity-ms: 604800000  # 7 days
    

    Migration Guide

    For API Clients

    All API requests (except auth endpoints) now require authentication:

    # 1. Login to get tokens
    curl -X POST http://localhost:8080/api/auth/login \
      -H "Content-Type: application/json" \
      -d '{"username": "admin", "password": "password"}'
    
    # Response: {"accessToken": "...", "refreshToken": "...", "userId": "...", "username": "admin", "role": "ADMIN"}
    
    # 2. Use access token for authenticated requests
    curl http://localhost:8080/api/users \
      -H "Authorization: Bearer <accessToken>"
    
    # 3. Refresh access token when expired
    curl -X POST http://localhost:8080/api/auth/refresh \
      -H "Content-Type: application/json" \
      -d '{"refreshToken": "<refreshToken>"}'
    

    For Developers

    Access current user in Spring components:

    @Service
    public class MyService {
        private final SecurityContextHelper securityHelper;
        
        public void myMethod() {
            UUID userId = securityHelper.getCurrentUserId();
            String username = securityHelper.getCurrentUsername();
            String role = securityHelper.getCurrentUserRole();
            
            if (securityHelper.hasRole("ADMIN")) {
                // Admin-only logic
            }
        }
    }
    

    Use method security annotations:

    @PreAuthorize("hasRole('ADMIN')")
    public void adminOnlyMethod() {
        // Only ADMIN role can call this
    }
    
    @PreAuthorize("hasAnyRole('ADMIN', 'OWNER')")
    public void privilegedMethod() {
        // ADMIN or OWNER can call this
    }
    

    Technical Details

    • Dependencies:

      • Spring Boot Starter Security 4.0.0
      • JJWT 0.12.6 (jjwt-api, jjwt-impl, jjwt-jackson)
      • Bouncy Castle bcprov-jdk18on 1.78.1
    • Database Schema: Uses existing users table from v1.0.0

      • password_hash column stores Argon2id hashes in PHC format
    • Logging: All authentication and user management operations logged to system_logs table

      • Categories: AUTH, API
      • Events: USER_CREATED, USER_UPDATED, PASSWORD_UPDATED, USER_DELETED, LOGIN_SUCCESS, LOGIN_FAILED, TOKEN_REFRESHED

    Included Patches

    This milestone includes development patches v1.0.7-dev through v1.0.10-dev:

    • v1.0.7-dev: User CRUD with password hashing (initially BCrypt)
    • v1.0.8-dev: JWT infrastructure (JwtService, AuthenticationService)
    • v1.0.9-dev: Switch from BCrypt to Argon2id
    • v1.0.10-dev: JWT authentication filter and authorization enforcement

    Known Limitations

    • Single JWT secret for all tokens (consider key rotation in future)
    • No token revocation mechanism (tokens valid until expiration)
    • No password complexity requirements enforced (validation in future)
    • No rate limiting on login attempts (future enhancement)
    • No account lockout after failed login attempts (future enhancement)

    Next Steps

    The next milestone (v1.3.0) will focus on Model Providers, implementing:

    • Model provider registry and configuration
    • Ollama provider integration
    • OpenAI provider integration
    • Anthropic provider integration
    • Provider health checks and fallback mechanisms
    Downloads
  • v1.0.0 398f06af70

    github-actions[bot] released this 2026-05-08 21:27:12 +02:00 | 287 commits to main since this release

    v1.0.0 - Initial Runnable Platform Release

    v1.0.0 is the first runnable SYNAPSE baseline. It turns the planning repository into a local platform runtime with a Spring Boot backend, Vue dashboard, PostgreSQL migrations, structured logs, Docker Compose orchestration, and concrete runtime API checks.

    Added

    • Complete documentation scaffold for architecture, agents, teams, AI-Firm, plugins, store, bundles, logging, theming, installer, CLI, ACP, MCP, skills, heartbeat, self-learning, multi-user support, Git providers, custom commands, ECHO, and API reference.
    • Root project documentation, contribution guidance, MIT license, build-step checklist, implementation roadmap, and release tracking.
    • PostgreSQL schema and seed data for the platform foundation.
    • Agent identity files for Main Agent, ECHO, AI-Firm CEO, and reusable templates.
    • Plugin templates for channels, model providers, skills, MCP, and Telegram.
    • Store registry, bundle specification, store specification, and plugin submission guide.
    • Unix/macOS and Windows installer scripts.
    • Docker Compose quick/dev and production stacks.
    • Spring Boot backend runtime under packages/core.
    • Vue/Vite dashboard runtime under packages/dashboard/frontend.
    • Backend APIs for health, file-defined agents, and structured logs.
    • Flyway migration files and explicit migration execution during backend startup.
    • Nginx API proxying for the packaged dashboard container.
    • Roadmap label and milestone release workflow support.

    Fixed

    • Corrected README documentation links and project structure references.
    • Normalized text file line endings across project file types.
    • Made the backend health API independent of Actuator internals.
    • Updated Docker Compose PostgreSQL 18 volume handling.
    • Added PostgreSQL and Redis health checks for deterministic backend startup.
    • Filtered runtime agent listing so scaffold templates are not exposed as concrete agents.

    Validated

    • Backend Docker image builds successfully.
    • Dashboard Docker image builds successfully.
    • Docker Compose config validates for quick/dev and production files.
    • Local runtime starts PostgreSQL, Redis, Qdrant, backend, and dashboard.
    • GET /api/health responds through backend port 8080.
    • GET /api/health responds through dashboard proxy port 3000.
    • GET /api/agents returns concrete runtime agents.
    • GET /api/logs returns persisted structured startup logs.

    Deferred To V2

    • Live chat runtime and model invocation.
    • Ollama/OpenAI/Anthropic provider execution paths.
    • Realtime delivery through SSE or WebSocket.
    • User authentication and role enforcement.
    • Plugin installation and lifecycle management.
    • Store-backed plugin and bundle installation.
    • Full dashboard management workflows.
    • CLI implementation against backend APIs.
    • CI hardening beyond local Docker validation.
    Downloads
  • v0.10.0 09e4c52fbd

    v0.10.0 - Hardening Pre-release

    github-actions[bot] released this 2026-05-08 20:45:46 +02:00 | 294 commits to main since this release

    v0.10.0 - Hardening

    Added

    • Added the hardening report with file-count verification, critical-file status, validation notes, and quality-rule notes.

    Fixed

    • Corrected README documentation links to match the actual documentation file names.
    • Corrected the README project structure to point at installer/compose/ instead of a root Compose file.

    Notes

    • v0.10.0 closes the initial implementation-roadmap pass.
    Downloads
  • v0.9.0 088d2b06af

    github-actions[bot] released this 2026-05-08 20:43:14 +02:00 | 295 commits to main since this release

    v0.9.0 - Runtime Delivery

    Added

    • Added runtime delivery documentation for WebSocket, SSE, polling fallback, dashboard blocks, operator paths, and failure rules.
    • Documented that runtime transport failures never activate ECHO automatically.

    Notes

    • v0.9.0 closes the runtime delivery milestone.
    • The next milestone is v0.10.0, focused on hardening and final quality checks.
    Downloads
  • v0.8.0 30ef4d61d5

    v0.8.0 - CLI Contract Pre-release

    github-actions[bot] released this 2026-05-08 20:41:51 +02:00 | 296 commits to main since this release

    v0.8.0 - CLI Contract

    Added

    • Added the CLI reference with global flags, command tree, TUI views, Main Agent path, manual path, and logging behavior.
    • Linked the API reference to the dedicated CLI contract.

    Notes

    • v0.8.0 closes the CLI specification milestone.
    • The next milestone is v0.9.0, focused on runtime delivery and observability.
    Downloads
  • v0.7.0 a90313e883

    v0.7.0 - Installer Pre-release

    github-actions[bot] released this 2026-05-08 20:40:12 +02:00 | 297 commits to main since this release

    v0.7.0 - Installer

    Added

    • Added Unix/macOS shell installer with interactive prompts and Docker Compose startup.
    • Added Windows PowerShell installer with equivalent prompt and Compose behavior.
    • Added quick/dev Docker Compose file for PostgreSQL, Redis, Qdrant, and optional Ollama.
    • Added production Docker Compose file with restart policies and internal networking.

    Notes

    • v0.7.0 closes the installer milestone.
    • The next milestone is v0.8.0, focused on the CLI command contract.
    Downloads
  • v0.6.0 5139cc51e2

    github-actions[bot] released this 2026-05-08 20:37:00 +02:00 | 298 commits to main since this release

    v0.6.0 - Documentation Set

    Added

    • Added the missing subsystem docs for agents, teams, AI-Firm, heartbeat, skills, MCP, ACP, bundles, multi-user, logging, theming, ECHO, git providers, custom commands, and API reference.
    • Documented Main Agent and manual paths for creatable and configurable subsystems.
    • Added logging categories, API endpoints, and operator guidance required by the build-step checklist.

    Notes

    • v0.6.0 closes the documentation milestone.
    • The next milestone is v0.7.0, focused on installers and Compose bootstrap files.
    Downloads
  • v0.5.0 c45922a3ec

    github-actions[bot] released this 2026-05-08 20:33:57 +02:00 | 299 commits to main since this release

    v0.5.0 - Store and Bundle System

    Added

    • Added an example store registry with official, community, skills.sh, and ACP sources.
    • Added example plugin, bundle, and statistics entries for store cache structure.
    • Added the plugin and bundle submission guide covering Official Store, Community Store, skills publishing, manual installs, and logging.
    • Completed the store file count required by the original build steps.

    Notes

    • v0.5.0 closes the store milestone.
    • The next milestone is v0.6.0, focused on completing the documentation set.
    Downloads
  • v0.4.0 31598fcd65

    github-actions[bot] released this 2026-05-08 20:30:55 +02:00 | 300 commits to main since this release

    v0.4.0 - Plugin Templates

    Added

    • Added the Ollama model provider manifest.
    • Added the skills plugin manifest template and Claude Code Skills format template.
    • Added the MCP server manifest template with stdio, HTTP, tool policy, and logging fields.
    • Completed the plugin template file count required by the original build steps.

    Notes

    • v0.4.0 closes the plugin template milestone.
    • The next milestone is v0.5.0, focused on the store and bundle system.
    Downloads
  • v0.3.0 32aad8a8d6

    github-actions[bot] released this 2026-05-08 20:28:58 +02:00 | 301 commits to main since this release

    v0.3.0 - Agent Identity Layer

    Added

    • Added the AI-Firm example configuration with Paperclip mode routing, singleton constraints, and AI_FIRM logging events.
    • Added Firm CEO identity, soul, and system prompt files.
    • Completed the missing Step 10 agent files from the original build steps.

    Notes

    • v0.3.0 closes the agent identity milestone.
    • The next milestone is v0.4.0, focused on plugin templates and provider integration.
    Downloads