Skip to main content

Release notes

Versioned release notes for Midcore. For the latest builds and binaries, see the Download page and the project repository.

June 2026 — Workspace Audit, grounded research, anti-fabrication, billing-bug fix

A safety and self-knowledge release: the agent stops guessing about real people, the IDE-embedded Studio gets a one-click full-workspace audit, the chat tells you when workspace context has been dropped, and a critical metering bug that froze prepaid balances on plans without defined included quotas is closed.

  • Added
    • Workspace Audit — Studio panel + `/api/v1/autonomy/workspace-audit/{run|stream|<id>}` routes. One-click run of security, architecture, sanity, and health audits on the directory the user has open in their IDE. Streaming SSE progress, exportable JSON, severity-bucketed findings, overall 0-100 score with letter grade.
    • GroundedResearchEngine — real public-source web research via Brave Search / Tavily / SearXNG / DuckDuckGo HTML fallback. Per-claim citations carry url, title, snippet, retrieved_at, and a stable snippet hash. Refuses when no backend is configured; refuses when public evidence is insufficient; surfaces disambiguation candidates when a personal name is ambiguous. No path produces uncited facts about real people.
    • `grounded_research` agent tool — LLM-callable surface that routes through the engine; the tool description explicitly forbids free-generation. Refusal payloads (refusal_reason + disambiguation_candidates) flow back to the chat verbatim.
    • TopicShiftDetector — classifies every new chat prompt into continuation / new-topic-workspace-related / new-topic-external / new-topic-personal. The detector drives both workspace-context gating (no more codebase facts mixed into a biographical answer) and the grounded-research routing decision.
    • Topic detection banner — a small in-bubble notice in the chat UI announcing when workspace context was dropped or when grounded research is incoming. Includes confidence, subject entities, and a collapsible "why did the classifier decide this?" disclosure.
    • Anti-fabrication preamble — applied at every research LLM entry point as defense-in-depth: routes.py `_research_llm_user_prompt`, the `/research/complete` endpoint, and `AgentRuntime.invoke_model`. The LLM is explicitly told to treat training-data memory as unreliable for facts about real entities.
    • IDE-embed Studio no longer ships its own ChatPanel — the desktop host owns chat. Studio panels (security, architecture, audit, files, git, sessions) now target the local workspace via the `X-Midcore-Workspace-Root` header injected automatically by the web client in `?ide=1` mode.
  • Changed
    • Studio default-lands on the Workspace Audit view inside the IDE embed (only on first mount; user navigation is respected).
    • Midcore CLI deep-hardening pass: stronger keychain fallback path, MCP server registration via `midcore mcp ls/add/remove/show`, ACP JSON-RPC server mode, session/share commands, and cleaner exit codes.
  • Fixed
    • 🛑 CRITICAL FIX — prepaid balance was not debiting on plans with no defined `included_fast_requests`. Symptom: balance frozen at the initial-credit amount (e.g. $15 USD) despite real usage. Root cause: `UsageMeter.is_over_limit` returned False both when the user was under quota AND when no UsageAllowance row existed; the metering middleware interpreted "not over limit" as "included quota available" and skipped prepaid debit. Fix introduces `has_included_quota_remaining` as the explicit gate; per-event metering decision audit (debited / skipped:byom / skipped:included_quota / skipped:zero_cost) now logs every flush. New endpoints `/api/v1/billing/usage/recent`, `/api/v1/billing/balance/reconcile`. Currency explicitly tagged as USD on `/balance` and `/usage/recent` so UIs never default to the user's browser locale ("15 CAD" display bug).

May 2026 — Automation platform, integrations, model catalog

The biggest infrastructure shift since launch: the user can close their laptop and scheduled, webhook-driven, and multi-agent work keeps running on the cloud. 11 SaaS integrations and 8 ready-to-enable customer templates ship with it.

  • Added
    • Automation platform foundation — 10 new Postgres tables under the `automation` schema (agent_sessions, automations, automation_triggers, agent_definitions, agent_tasks, agent_runs, agent_messages, agent_artifacts, agent_memory_entries, agent_credentials) plus Alembic migration `029_automation_platform_init`. The schema backs the durable multi-agent path.
    • AutomationDaemon — scheduler tick (30s default), worker pool (4 concurrent by default) with `SELECT ... FOR UPDATE SKIP LOCKED` claim semantics, watchdog for stalled runs. Knobs: `MIDCORE_AUTOMATION_DAEMON`, `MIDCORE_AUTOMATION_TICK_SECONDS`, `MIDCORE_AUTOMATION_WORKERS`.
    • 8 customer-ready automation templates: Social Media Marketing, Email Triage & Auto-Reply, Daily Task Timeline & Reminder, Weekly Status Report, Lead Capture & CRM Sync, Customer Support Triager, Competitor Monitor, Newsletter Compiler. Each ships with production-grade prompts and per-template safety rules.
    • 11 SaaS integration adapters under `services/autonomy/tools/integrations/` — Slack (Web API), Notion (REST), HubSpot (CRM batch upsert), Linear (GraphQL), X / Twitter (v2), LinkedIn (UGC posts), SMTP (Gmail/Outlook XOAUTH2 + generic), IMAP (XOAUTH2 + generic), Google Calendar, generic HTTP (SSRF-guarded), RSS (RSS 2.0 + Atom).
    • IntegrationDispatcher — process-wide singleton, shared httpx pool, automatic retry on 429/5xx/network with provider-honored Retry-After, encrypted credential resolution with tenant cross-tenant guard, structured logging that never includes plaintext tokens.
    • Webhook intake routes — `POST /webhooks/{tenant_id}/{github|slack|linear|pagerduty|email|generic}`. Per-provider HMAC verification (GitHub `sha256=`, Slack `v0=` with 5-min replay window, Linear bare hex, PagerDuty `v1=` with key rotation), LRU + DB idempotency, automatic dispatch to matching triggers.
    • Multi-agent session board — `/api/v1/sessions/...` CRUD + `GET /sessions/{id}/trace` SSE live stream. Tenant-scoped. Web Studio UI under `/app/sessions` with tabs (overview/roster/tasks/trace/messages), inline agent + task creation, status transition buttons.
    • Durable multi-agent coordinator — replaces the in-process asyncio.Queue with `automation.agent_messages` rows + Postgres LISTEN/NOTIFY for ≤10ms delivery latency. Falls back to polling when LISTEN/NOTIFY isn't reachable.
    • Filesystem→DB migration utility — `python -m services.autonomy.automation_filesystem_migrator` walks legacy `.maestro/automations/*/runs.jsonl`, normalizes status, and idempotently imports via deterministic UUIDv5 keying.
    • Model catalog — DB-backed chat-model registry with per-user toggles, daily APScheduler refresh, and admin-side enable/disable. Image tag: `api:onprem-20260530-modelcatalog`.
    • LLM provider keys hardened across the deploy: Anthropic, OpenAI, Gemini, xAI, DeepSeek keys all live in Azure Keyvault `maestro-beta-kv-tjzct7wj` and the k8s `maestro-secrets` Secret; rotation runbook + Windows-kubectl notes added.
    • Signed Windows installer pipeline — Azure Trusted Signing with DPAPI-encrypted XML credential blob, Keyvault-backed secret retrieval, one-line on-prem signing via `build-sign-windows-onprem.ps1`. SmartScreen reputation recipe (download proxy via midcore.ai + blob content metadata + WDSI false-positive submission) defeats "couldn't scan" warnings on new builds.
    • Desktop release publishing pipeline — Azure Blob upload of MSI/installer plus `MIDCORE_CURRENT_VERSION` env flip on the API; `/app/downloads` serves the new build immediately.
    • VS Code extension automation sidebar — promotes the AutomationPanel from a transient webview to a real sidebar view, with refresh / enable / disable / run-now / delete actions and a 30s polling refresh.
    • Vibe-runtime intent + context: ConversationContextAnalyzer now surfaces compacted-summary awareness, original-user-intent preservation scoring, and topic classification fields used by the prompt harness.

April 2026 — Studio, Intent Wizard, and add-ons

A focused release that pulls the most-used customer surfaces together: a new way into Studio, a smoother sign-in into the desktop app, and two new add-ons.

  • Added
    • Studio Intent Wizard — describe the outcome in one text box; the wizard asks any clarifying questions, drafts the plan, and lets you launch when you are ready.
    • Studio panel parity inside the Desktop IDE and the VS Code extension, so the same Intent Wizard works wherever you write code.
    • Web → Desktop sign-in handoff: sign in once in the browser and the desktop app opens already authenticated, no token paste required.
    • Signed Windows MSI installer with checksum verification and a polished first-launch experience.
    • Offline stack add-on for fully self-hosted, air-gapped runs of the platform.
    • BYOM (Bring Your Own Model) add-on for any Cloud plan, so teams can route to their own model providers.
  • Changed
    • Faster cold-start and quicker first response in Studio.
    • Public docs reorganised around outcomes (what you get) instead of internal subsystems.

Earlier (v0.x)

  • Added
    • Docs: FAQ, Learning path, and Phase 4 depth (key takeaways, checklists, expanded glossary and troubleshooting).
    • Docs: Troubleshooting, API overview, SDK, Glossary, Tools reference, gates.yaml.
    • Client-side doc search and next/previous navigation in docs.
  • Changed
    • Changelog restructured into versioned sections with Added / Changed / Fixed.
  • Fixed
    • CLI reference expanded with flags, exit codes, and pipeline examples.

Upcoming

Planned improvements and fixes will be listed here as they are scheduled. Check back for updates.

Back to Docs · Troubleshooting