v0.53.0 — Multi-user Collaboration, Locale Translations

[0.53.0] - 2026-06-24

Added

• Multi-user collaboration — users, teams, API tokens, and resource scoping across the entire
  platform. New users table with PBKDF2 password hashing, teams table with join policies,
  team_memberships join table with admin/member roles, user_tokens table for API access
  (SHA-256 hashed), agents DB table for agent storage (moved from config.json), resource_shares
  table for cross-user sharing, instance_identity and federation_peers tables for instance-to-instance
  federation. (packages/core/src/db/migrations/044_users_teams.sql through 047_core_scoping.sql,
  src/server/auth.ts)
• Database migrations 044–047 — identity tables (users, teams, memberships, tokens, agents,
  federation, resource_shares), vault scoping columns (owner_user_id, owner_team_id), memory
  scoping columns on all memory tables, and resource scoping columns on services/nodes/channels/
  workspace_config. Auto-admin creation on first run with backfill of existing resource rows.
  (src/db/migrate.ts)
• Agent storage moved from config.json to agents DB table — full DB-based CRUD with
  user/team/instance scope filtering. Config.json agents preserved as fallback for backward
  compatibility during transition. Built-in agents seeded into DB as instance-scoped.
  (src/db/agents.ts, src/agent/manager.ts, src/agent/builtin-agents.ts)
• Request identity system — RequestIdentity interface (user/instance/anonymous) with
  userId, teamIds, currentTeamId, isInstanceAdmin fields. Extracted from session cookies or
  Authorization: Bearer API tokens via extractIdentity(). (src/server/identity.ts,
  src/server/auth.ts)
• Authorization guards — requireInstanceAdmin(), requireTeamAdmin(), requireTeamMember(),
  requireResourceOwner() functions for coarse permission checks. Authorization enforced on
  agent detail endpoints (GET/PUT/DELETE) and agent creation with team membership validation.
  (src/server/guards.ts, src/server/routes/agents.ts)
• API token management — POST /api/auth/tokens to create tokens, GET /api/auth/tokens to
  list, DELETE /api/auth/tokens/:id to revoke. Tokens support team-scoping via team_ids JSON
  column, expiration dates, and last-used tracking. (src/server/routes/public-auth.ts)
• Team management API — GET/POST /api/teams, GET/PATCH/DELETE /api/teams/:id,
  GET/POST/PATCH/DELETE /api/teams/:id/members, GET/POST /api/teams/:id/agents.
  Team-scoped agent creation with membership validation. (src/server/routes/teams.ts)
• Resource sharing API — POST /api/shares to share resources between users,
  GET /api/shares/given and GET /api/shares/received to list shares,
  DELETE /api/shares/:id to revoke. Ownership validation enforced before sharing.
  (src/server/routes/shares.ts)
• Federation API — POST /api/federation/generate-pairing-token, POST /api/federation/pair,
  GET /api/federation/peers, DELETE /api/federation/peers/:id for instance-to-instance
  trust establishment. (src/server/routes/federation.ts)
• User management API — GET/POST /api/users, POST /api/users/:id/disable and
  POST /api/users/:id/enable (instance admin only). (src/server/routes/public-auth.ts)
• Multi-user web UI — login page with username+password fields (src/server/ui-auth.ts),
  team selector dropdown in header (src/server/ui/shell.ts), Teams page with member management,
  Users page with create/disable/enable (instance admin). (src/server/ui/js/27_teams.ts,
  src/server/ui/js/28_users.ts, src/server/ui/pages/login.ts, src/server/ui/pages/teams.ts)
• CLI commands for multi-user — cortex login (username+password or API token),
  cortex logout, cortex whoami, cortex users list/create/disable/enable,
  cortex teams list/create. Auth token stored in ~/.cortex/auth.json.
  (src/cli/user-cmd.ts, src/cli/registry.ts)
• Locale translations — all 10 non-English locale files (ar, de, es, fr, hi, ja, ko, pt, ru, zh)
  fully translated from English source. Preserves {variable} placeholders, Unicode symbols, CLI
  commands, and JSON structure. (locales/*.json)

Changed

• Login flow — /api/auth/login now accepts { username, password } for multi-user
  authentication. Falls back to legacy vault-based password verification when username is omitted
  (src/server/routes/public-auth.ts)
• Session model — Session interface gained userId and username fields. Sessions
  are still in-memory (7-day expiry) but track the authenticated user for downstream scoping.
  (src/server/auth.ts)
• Auth middleware — requireAuth() now extracts RequestIdentity with user/team/admin context
  and returns it alongside the authenticate flag. authGuard stores identity in a WeakMap for
  downstream route handlers. (src/server/auth.ts, src/server/routes/auth-guard.ts)
• Agent CRUD scoped — listAgents() accepts optional userId and teamIds for three-layer
  filtering (user → team → instance). Agent routes pass identity context for scope-aware
  operations. (src/agent/manager.ts, src/server/routes/agents.ts)
• Settings page — Removed "Web Authentication" section (password setup/change, require-auth
  toggle) now that user management is handled through the Users page. (src/server/ui/js/12_settings.ts)

Fixed

• Migration version collision — four-part migration 044 (identity, vault, memory, core scoping)
  now uses unique version numbers 044–047 to prevent skip of subsequent migrations after the first
  sub-migration is applied. (src/db/migrate.ts)
• Team agent listing — listAgents() now correctly returns team-scoped agents when called with
  teamIds but without userId. (src/db/agents.ts)
• Agent authorization — GET/PUT/DELETE on individual agents now validates the authenticated user
  owns or has team access to the agent, preventing unauthorized access to private agents.
  (src/server/routes/agents.ts)
• Agent creation scoping — POST /api/agents now validates team membership before accepting
  a teamId parameter, preventing agent injection into arbitrary teams.
  (src/server/routes/agents.ts)
• Per-user default agent isolation — selectAgent() no longer overwrites the global
  defaultAgent when a user selects a personal default. (src/agent/manager.ts)
• Share ownership validation — POST /api/shares now verifies the sender owns the resource
  before creating the share. (src/server/routes/shares.ts)
• Federation pairing token — POST /api/federation/generate-pairing-token now returns the
  actual stored token instead of a mismatched new UUID. (src/server/routes/federation.ts)
• Auth per-request DB query — requireAuth() now caches the user-existence check using a
  module-level flag with invalidation on user create/disable/enable, eliminating a COUNT(*)
  query on every API request. (src/server/auth.ts)
• Teams/Users page rendering — fixed incorrect DOM target (main-panel → teams-content /
  users-content) and wrong escape function (escHtml → esc) in teams and users page JS.
  (src/server/ui/js/27_teams.ts, src/server/ui/js/28_users.ts)

Removed

• src/server/precedence.ts — dead file with no consumers (29 lines). Resource precedence
  resolution will be re-added when needed by callers.
• getAgentsForConfigFallback() — unused export from src/db/agents.ts.
• getUserScopeFilter() — unused export from src/server/guards.ts.
• extractIdentity import — removed dead import from src/server/routes/auth-guard.ts.

v0.52.0

v0.52.0

v0.51.0 — Checkpoint Time-Travel, Tool Forging, Multi-Agent Orchestration, HEXACO Personality, Memory Benchmarking

What's New in v0.51.0

✨ Checkpoint Time-Travel UI

The Memori page now renders a full two-panel timeline with session-grouped checkpoints. Each checkpoint shows turn number, goals, message count, tool calls, and workspace snapshot. Resume here restores the checkpoint; Branch from here forks into a new child session.

🔧 Runtime Tool Forging

Agents can create, test, and export custom tools at runtime:

• tool_forge — write TypeScript code, pass an LLM security judge, run in a Deno Worker (pure compute) or Docker sandbox (shell/fs)
• forged_call — invoke a forged tool by name
• tool_export — promote a forged tool to persistent skills
• tool_list_forged — list session-scoped forged tools

🤝 Multi-Agent Orchestration — 6 Strategies

A single orchestrate tool exposes six composable strategies backed by spawnSubAgent:

• sequential — chain agents, each receiving the prior output as context
• parallel — concurrent execution with a synthesiser agent
• debate — N agents argue positions for R rounds, judge synthesises
• review-loop — writer drafts, reviewer critiques, iterates until approval
• hierarchical — coordinator decomposes, workers execute in parallel
• graph — user-defined DAG with topological execution

🧠 HEXACO Personality System

Agents can be configured with six personality scores (H/E/X/A/C/O ∈ [0,1]) that drive:

• System prompt injection (voice, tone, communication style)
• Memory retrieval bias weights (per-tier multipliers)
• Response style hints (structure, warmth, creativity nudges)
• MQM routing signals (accuracy vs. creativity preference)

📊 Memory Benchmark Runner (LongMemEval-S compatible)

• cortex eval memory CLI — --suite, --sample, --full, --json flags
• REST API: GET /api/eval/memory/results, GET /api/eval/memory/history, POST /api/eval/memory/run
• Web UI results page with stat cards, category breakdown, per-question table, and history trend
• Weekly CI workflow (Monday 06:00 UTC) with artifact upload and step summary

👥 10 Built-in Agents (5 new)

New specialists: Writer ✍️, DevOps 🚀, Security 🔐, Code Reviewer 👁️, QA/Tester 🧪. All existing agents received enriched souls with Capabilities/Guardrails/Limitations sections. New reviewer and writer sub-agent types added.

---

Full changelog: https://github.com/CortexPrism/cortex/blob/main/CHANGELOG.md

v0.50.0 — UI Overhaul, Enriched Sessions, Security Hardening, Import System

Highlights

UI Overhaul — Complete redesign of the Cortex web interface:

• Horizontal top navigation with 5 categories (Chat, Development, Knowledge, Infrastructure, System)
• Contextual sidebar populated dynamically by active category
• 3-button experience level control [B|I|A] filtering 10/29/40 pages
• JavaScript tooltip system with ARIA support, keyboard navigation, and smart positioning
• Dark/light theme toggle using CortexPrism brand colors (cyan #06b6d4, indigo #6366f1)
• 599-line CSS full rewrite with spacing scale, refreshed typography, and 80+ new component classes

Enriched Sessions — Session list upgraded to tree view with token stats, cost, duration, and errors per session.

Security Hardening — 18 issues resolved across all 6 security layers including SSRF protection, session isolation enforcement, and hardened regex patterns.

Import System — Comprehensive migration from OpenClaw and Hermes with config mapping, session import, and memory file migration.

See CHANGELOG.md for full details.

v0.49.1

v0.49.1

v0.49.0

v0.49.0 — Codebase modularization into 6 Deno workspace packages

v0.48.6: Editor Code Runner + Bug Fixes

Added

• Editor code runner integration — ▶ Run button in status bar, F5/Ctrl+Enter/Cmd+Enter shortcuts, language detection, Output panel display

Fixed

• Concurrent agent turns in same WebSocket session guard
• Sub-agent session creation retry for WAL FK timing
• 10s supervisor LLM timeout to prevent indefinite tool blocking
• Malformed <arg_key>/<arg_value> XML tool call parsing (deepseek-v4)
• Ctrl+letter and backspace handling in TUI input engine
• Auto-create parent directories in file_write tool

v0.48.5

chore: bump version to 0.48.5

v0.48.4

chore: bump version to 0.48.4, fix formatting

v0.48.3

v0.48.3: Tool call lens payload auditability and version sync