eliott/paperclip
1
0
Fork 0
mirror of https://github.com/paperclipai/paperclip synced 2026-04-25 17:25:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
paperclip/releases/v2026.414.0.md
Dotta b9a80dcf22 feat: implement multi-user access and invite flows (#3784) 
## Thinking Path

> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.

## What Changed

- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.

## Verification

- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.

## Risks

- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.

## Model Used

- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.

---------

Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00

14 KiB
Raw Permalink Blame History

v2026.414.0

Released: 2026-04-14

Security

  • Authorization hardening (GHSA-68qg-g8mg-6pr7) — Scoped import, approval, activity, and heartbeat API routes to enforce proper authorization checks. Previously, certain administrative endpoints were accessible without adequate permission verification. All users are strongly encouraged to upgrade. (#3315, #3009, @KhairulA)
  • Removed hardcoded JWT secret fallback — The createBetterAuthInstance function no longer falls back to a hardcoded JWT secret, closing a credential-hygiene gap. (#3124, @cleanunicorn)
  • Redact Bearer tokens in logs — Server log output now redacts Bearer tokens to prevent accidental credential exposure.
  • Dependency bumps — Updated multer to 2.1.1 (HIGH CVEs) and rollup to 4.59.0 (path-traversal CVE). (#2909, @marysomething99-prog)

Highlights

  • Multi-user access and invites — Full multi-user authentication, company roles, and invite management. Board users can create invite links, approve join requests, and manage member roles. Invite flows support auto-accept for signed-in users, paginated history, and human-readable requester identities in approval views.
  • Human user identities everywhere — Human users now appear with real names and avatars across activity feeds, issue tables, assignee pickers, and @-mention menus. A lightweight user directory endpoint powers consistent identity resolution across the UI.
  • Issue chat thread — Replaced the classic comment timeline with a full chat-style thread powered by assistant-ui. Agent run transcripts, chain-of-thought, and user messages render inline as a continuous conversation with polished avatars, action bars, and relative timestamps. (#3079)
  • External adapter plugin system — Third-party adapters can now be installed as npm packages or loaded from local directories. Plugins declare a config schema and an optional UI transcript parser; built-in adapters can be overridden by external ones. Includes Hermes local session management and provider/model display in run details. (#2649, #2650, #2651, #2654, #2655, #2659, @plind-dm)
  • Execution policies — Issues can carry a review/approval execution policy with multi-stage signoff workflows. Reviewers and approvers are selected per-stage, and Paperclip routes the issue through each stage automatically. (#3222)
  • Blocker dependencies — First-class issue blocker relations with automatic wake-on-dependency-resolved. Set blockedByIssueIds on any issue and Paperclip wakes the assignee when all blockers reach done. (#2797)
  • Standalone MCP server — New @paperclipai/mcp-server package exposing the Paperclip API as an MCP tool server, including approval creation. (#2435)

Improvements

  • Invite UX polish — Auto-submit for signed-in invites, inline auth flow, paginated invite history, requester identity in join approvals, and prevention of duplicate join requests and member re-invites.
  • Board approvals — Generic issue-linked board approvals with card styling and visibility improvements in the issue detail sidebar. (#3220)
  • Inbox parent-child nesting — Parent issues group their children in the inbox Mine view with a toggle button, j/k keyboard traversal across nested items, and collapsible groups. (#2218, @HenkDz)
  • Inbox workspace grouping — Issues can now be grouped by workspace in the inbox with collapsible mobile groups and shared column controls across inbox and issues lists. (#3356)
  • Issue search — Trigram-indexed full-text search across titles, identifiers, descriptions, and comments with debounced input. Comment matches now surface in search results. (#2999)
  • Sub-issues inline — Sub-issues moved from a separate tab to inline display on the issue detail, with parent-inherited workspace defaults and assignee propagation. (#3355)
  • Issue-to-issue navigation — Faster navigation between issues with scroll reset, prefetch, and detail-view optimizations. (#3542)
  • Auto-checkout for scoped wakes — Agent harness now automatically checks out the scoped issue on comment-driven wakes, reducing latency for agent heartbeats. (#3538)
  • Document revision diff viewer — Side-by-side diff viewer for issue document revisions with improved modal layout. (#2792)
  • Keyboard shortcuts cheatsheet — Press ? to open a keyboard shortcut reference dialog; new g i (go to inbox), g c (comment composer), and inbox archive undo shortcuts. (#2772)
  • Bedrock model selection — Claude local adapter now supports AWS Bedrock authentication and model selection. (#3033, #2793, @kimnamu)
  • Codex fast mode — Added fast mode support for the Codex local adapter with env probe safeguards. (#3383)
  • Backup improvements — Gzip-compressed backups with tiered daily/weekly/monthly retention and UI controls in Instance Settings. (#3015, @aronprins)
  • GitHub webhook signing modes — Added github_hmac and none webhook signing modes with timing-safe HMAC comparison. (#1961, @antonio-mello-ai)
  • Sidebar order persistence — Sidebar project and company ordering preferences now persist per-user.
  • Workspace runtime controls — Start/stop controls, runtime state reconciliation, runtime service improvements, and workspace branch/folder display in the issue properties sidebar. (#3354)
  • Attachment improvements — Arbitrary file attachments (not just images), drag-and-drop non-image files onto markdown editor, and square-cropped image gallery grid. (#2749)
  • Image gallery in chat — Clicking images in chat messages now opens a full gallery viewer.
  • Mobile UX — Gmail-inspired mobile top bar for inbox issue views, responsive execution workspace pages, mobile mention menu placement, and mobile comment copy button feedback.
  • Routine improvements — Draft routine defaults, run-time overrides, routine title variables, and relaxed project/agent requirements for routines. (#3220)
  • Project environment variables — Projects can now define environment variables that are inherited by workspace runs.
  • Skill auto-enable — Mentioned skills are automatically enabled for heartbeat runs.
  • Comment wake batching — Multiple comment wakes are batched into a single inline payload for more efficient agent heartbeats.
  • Server-side adapter pause/resume — Builtin adapter types can now be paused/resumed from the server with overridePaused. (#2542, @plind-dm)
  • Skill slash-command autocomplete — Skill names now autocomplete in the editor.
  • Worktree reseed command — New CLI command to reseed worktrees from latest repo state. (#3353)

Fixes

  • Assignee name overflow — Fixed long assignee names overflowing in the issues list grid with proper truncation.
  • Company alerts isolation — Company-level alerts no longer appear in personal inbox.
  • Invite state management — Fixed reused invite refresh pending state, paginated invite history cache isolation, and invite flow state mapping across reloads.
  • Issue detail stability — Fixed visible refreshes during agent updates, comment post resets, ref update loops, split regressions, and main-pane focus on navigation. (#3355)
  • Inbox badge count — Badge now correctly counts only unread Mine issues. (#2512, @AllenHyang)
  • Inbox keyboard navigation — Fixed j/k traversal across groups and nesting column alignment. (#2218, @HenkDz)
  • Execution workspaces — Fixed linked worktree reuse, dev runner isolation, workspace import regressions, and workspace preflight through server toolchain.
  • Stale execution locks — Fixed stale execution lock lifecycle with proper executionAgentNameKey clearing. (#2643, @chrisschwer)
  • Agent env bindings — Fixed cleared agent env bindings not persisting on save. (#3232, @officialasishkumar)
  • Capabilities field — Fixed blank screen when clearing the Capabilities field. (#2442, @sparkeros)
  • Skill deletion — Company skills can now be deleted with an agent usage check. (#2441, @DanielSousa)
  • Claude session resume — Fixed --append-system-prompt-file being sent on resumed Claude sessions and preserved instructions on resume fallback. (#2949, #2936, #2937, @Lempkey)
  • Agent auth JWT — Fixed agent auth to fall back to BETTER_AUTH_SECRET when PAPERCLIP_AGENT_JWT_SECRET is absent. (#2866, @ergonaworks)
  • Typing lag — Fixed typing lag in long comment threads. (#3163)
  • Shimmer animation — Fixed shimmer text using invalid hsl() wrapper on oklch colors, loop jitter, and added pause between repeats.
  • Mention selection — Restored touch mention selection and fixed spaced mention queries.
  • Inbox archive — Fixed archive flashing back after fade-out.
  • Goal description — Made goal description area scrollable in create dialog. (#2148, @shoaib050326)
  • Worktree provisioning — Fixed symlink relinking, fallback seeding, dependency hydration, and validated linked worktrees before reuse. (#3354)
  • Node keepAliveTimeout — Increased timeout behind reverse proxies to prevent 502 errors.
  • Codex tool-use transcripts — Fixed Codex tool-use transcript completion parsing.
  • Codex resume error — Recognize missing-rollout Codex resume error as stale session.
  • Pi quota exhaustion — Treat Pi quota exhaustion as a failed run. (#2305)
  • Issue identifier collisions — Prevented identifier collisions during concurrent issue creation.
  • OpenClaw CEO paths — Fixed $AGENT_HOME references in CEO onboarding instructions to use relative paths. (#3299, @aronprins)
  • Windows adapter — Uses cmd.exe for .cmd/.bat wrappers on Windows. (#2662, @wbelt)
  • Markdown autoformat — Fixed autoformat of pasted markdown in inline editor. (#2733, @davison)
  • Paused agent dimming — Correctly dim paused agents in list and org chart views; skip dimming on Paused filter tab. (#2397, @HearthCore)
  • Import role fallback — Import now reads agent role from frontmatter before defaulting to "agent". (#2594, @plind-dm)
  • Backup cleanup — Clean up orphaned .sql files on compression failure and fix stale startup log.

Upgrade Guide

Nine new database migrations (00490056) will run automatically on startup. These add:

  • Issue blocker relations table (0049)
  • Project environment variables (0050)
  • Trigram search indexes on issues and comments (0051 — requires pg_trgm extension)
  • Execution policy decision tracking (0052)
  • Non-issue inbox dismissals (0053)
  • Relaxed routine constraints (0054)
  • Heartbeat run process group tracking (0055)
  • User sidebar preferences (0056)

All migrations are additive — no existing data is modified or removed.

pg_trgm extension: Migration 0051 creates the pg_trgm PostgreSQL extension for full-text search. If your database user does not have CREATE EXTENSION privileges, ask your DBA to run CREATE EXTENSION IF NOT EXISTS pg_trgm; before upgrading.

If you use external adapter plugins, note that built-in adapters can now be overridden by external ones. The overriddenBuiltin flag in the adapter API indicates when this is happening.

Contributors

Thank you to everyone who contributed to this release!

@AllenHyang, @antonio-mello-ai, @aronprins, @chrisschwer, @cleanunicorn, @cryppadotta, @DanielSousa, @davison, @ergonaworks, @HearthCore, @HenkDz, @KhairulA, @kimnamu, @Lempkey, @marysomething99-prog, @mvanhorn, @officialasishkumar, @plind-dm, @shoaib050326, @sparkeros, @wbelt

Reference in New Issue View Git Blame Copy Permalink