v0.9.1

v0.9.1

A maintenance release focused on security hardening, dependency patches, and a backup restore fix.

Security

• Companion (SSRF): Hardened outbound backend calls in the Companion app to block server-side request forgery attempts against internal/loopback addresses.
• Companion (jsonwebtoken): Bumped jsonwebtoken to v10 to patch a type-confusion advisory.
• Frontend (postcss): Overrode postcss to ^8.5.10 to patch an XSS advisory in the build toolchain.

Bug Fixes

• Backup restore: Recordings are now matched by meeting_uid and public_id during restore, preventing mismatches when restoring across environments where legacy timestamp-derived IDs would have collided or drifted.

Documentation

• Updated README to better describe Nojoin as a self-hosted meeting transcription platform and clarified its features and purpose.
• Added light and dark theme screenshots, with a link from the README to the new screenshots page.

Upgrade Notes

No schema or configuration changes are required for users already on v0.9.0. Standard upgrade path applies — pull the latest images / rebuild and restart the stack. Companions will continue to operate against an upgraded backend without re-pairing.

⚠️ Upgrading from v0.8.x or earlier? v0.9.0 was a major release with breaking changes (opaque recording public IDs, canonical HTTPS origin enforcement, revocable Companion pairing credentials, and strict version parity requiring a clean re-pair). Please review the v0.9.0 release notes and follow that upgrade guidance before applying v0.9.1.

Binary Hotfix

Recompiled binaries after hotfix commit rather than bumping version to 0.9.2.

Full Changelog: v0.9.0...v0.9.1

v0.9.0

Nojoin 0.9.0

0.9.0 is a security and trust release. The Companion app and backend now negotiate a mutually authenticated, version-locked, locally-encrypted channel; recording identifiers are no longer derived from timestamps; and the Companion desktop experience has been rebuilt around a state-driven launcher. Every existing Companion install must be re-paired after upgrading.

---

Upgrade guide (0.8.x → 0.9.0)

Read this section before upgrading any production deployment.

Mandatory steps

1. Back up data/ first. Recording IDs change shape during migration (see breaking changes); backups protect you if a rollback is needed.
2. Set a canonical HTTPS origin. The backend now refuses requests whose origin does not match the configured canonical HTTPS host. Confirm your reverse-proxy or docker-compose environment exposes the expected public origin before bringing the API back up.
3. Pull and rebuild. Standard docker compose pull && docker compose up -d --build flow. Startup migrations run automatically and now tolerate orphaned Alembic revisions, so a stuck head from a prior partial upgrade will self-heal.
4. Re-pair every Companion install. Bootstrap pairing tokens have been removed and replaced with revocable credentials. Existing pairings will be rejected. In the web app, open Settings → Companion, generate a new pairing code, and complete pairing from each Companion device.
5. Reinstall or update the Companion app on every device. Version parity between Companion and backend is now strictly enforced — a 0.8.x Companion will refuse to connect to a 0.9.0 backend and vice versa.

What users will see after installing the new Companion

The first launch after install or upgrade walks the user through a short setup waterfall:

• A prompt to install and trust the Companion's local HTTPS identity (used so the browser can talk to the Companion over https://localhost). The Companion can repair or uninstall this identity later from Settings.
• A pairing prompt that exchanges a one-time code with the backend and pins the backend's TLS certificate on first use (TOFU). Subsequent certificate changes will be refused until the user explicitly re-pairs.
• A version-check prompt if the Companion and backend versions do not match exactly.

Autostart launches now stay docked in the system tray rather than opening a window.

Firefox users

Firefox does not consult the OS trust store, so the Companion's local HTTPS certificate must be trusted inside Firefox itself. The new launcher detects Firefox and surfaces explicit guidance, but the trust step is still manual:

• After installing the local HTTPS identity, open Firefox and visit the Companion's local HTTPS URL once.
• Accept the certificate prompt, or import the Companion's root certificate into Firefox's certificate manager (about:preferences#privacy → Certificates → View Certificates → Authorities → Import).
• The Companion Settings page will continue to show a Firefox-specific support card until trust is established; this is expected.

Rollback

Rolling back to 0.8.2 requires restoring the pre-upgrade data/ backup. Recording public IDs and pairing credentials issued under 0.9.0 are not recognised by 0.8.x.

---

Breaking changes

• Opaque public recording IDs. Recording identifiers are no longer derived from timestamps. Any external integration, bookmark, or stored deep-link that referenced the old ID format must be re-issued.
• Canonical HTTPS origin enforced. The backend rejects requests whose origin does not match the configured canonical HTTPS origin.
• Revocable Companion credentials. Bootstrap pairing tokens are removed. All Companion pairings must be redone.
• Strict Companion ↔ backend version parity. Mixed-version deployments are refused; clean re-pair is required across an upgrade.

---

Security

• Local Companion API is now served over HTTPS with a Companion-managed local identity, including bootstrap, repair, and uninstall flows.
• TOFU TLS pinning for paired backends; pinned certificates survive Companion restarts and signal manual disconnects clearly.
• Local Companion control routes are gated by paired-auth credentials.
• Standard JWTs gain explicit invalidation and rotation controls; revoked tokens are tracked server-side.
• Companion auth endpoints are rate-limited.
• Browser session writes are restricted to the trusted origin.
• Backend password policy is enforced; argon2 hashing path replaced (passlib argon2 issue resolved); password manager compatibility improved across auth forms.
• Nonce-based CSP enforced via the frontend proxy.
• Authenticated validation errors are sanitised; Companion logs are redacted and handled more defensively.

Companion app

• New state-driven launcher with content-sized native windows and a clearer lifecycle.
• Pairing controls relocated into Settings, with redesigned guidance and a polished pairing window flow.
• Streamlined native settings and tray surfaces; tray fallback simplified.
• Autostart launches stay in the system tray instead of opening a window.
• Hardened pairing transport, better diagnostics, and a stable re-pair flow.
• Improved offline recording recovery and reconnect behaviour.
• Cleanup of orphaned upload artifacts on both Companion and backend.

Recordings and workspace

• Opaque public recording IDs (see breaking changes).
• Simplified empty-workspace landing page; empty archive views no longer auto-open a recording.
• Unified live audio monitoring and warning controls during recording.

Calendar

• New day timeline view on the dashboard calendar.

UI and UX

• Unified sidebars and the Meet Now card under a shared ambient theme.
• Increased dashboard and Companion theme contrast.
• Streamlined meeting controls; button labels now carry meeting state.

Reliability

• Startup migrations tolerate orphaned Alembic revisions instead of failing the boot.
• Companion Cargo.lock refreshed for rand security advisories.
• Frontend lockfile metadata refreshed.

Documentation

• Companion guide published; support docs aligned.
• Security upgrade plan phases closed out and re-baselined.
• Development guide clarifies the local Docker compose workflow and the frontend rebuild process.
• README tightened around features and purpose.

Full Changelog: v0.8.2...v0.9.0

v0.8.2

Nojoin v0.8.2

This is a hotfix release for v0.8.1.

Highlights

• Fixed a calendar integration failure mode where unreadable encrypted calendar data could break provider configuration loading and related calendar views.
• Improved recovery behavior so invalid encrypted calendar state is reset safely instead of surfacing as a hard failure.
• Added operator guidance for DATA_ENCRYPTION_KEY so persistent deployments keep calendar credentials readable across upgrades, restores, and host changes.

Fixes

• Calendar provider configuration now falls back cleanly to environment-backed settings when stored provider secrets can no longer be decrypted.
• Unreadable stored calendar connection tokens now trigger a reconnect-required reset instead of causing calendar flows to fail unpredictably.
• Added regression coverage for unreadable provider secrets and unreadable calendar connection tokens.

Documentation and Configuration

• Added DATA_ENCRYPTION_KEY to the example environment configuration.
• Updated deployment, getting started, calendar, and README guidance to explain when and why DATA_ENCRYPTION_KEY should be set.
• Clarified the safe adoption path for existing deployments.

Important Upgrade Note

If your existing installation already has data/.data_encryption_key, copy that current value into DATA_ENCRYPTION_KEY before restarting after upgrading.

Do not generate a new value for an existing installation unless you intentionally want to reset encrypted calendar credential state. Changing the encryption key without re-encrypting stored secrets will make previously stored calendar credentials unreadable.

Why This Release Exists

v0.8.1 relied too heavily on the generated on-disk encryption key fallback for calendar credential persistence. That was an operational oversight for deployments where application data and the database may be managed separately. v0.8.2 addresses that gap with both runtime hardening and clearer deployment guidance.

Process Update

As the project matures, the repository will move toward using an active development branch for release testing before changes are accepted onto main. The goal is to catch release-safety and operational issues like this earlier, before they land in a production tag.

Recommended Next Steps

• Upgrade to v0.8.2.
• Set and retain a stable DATA_ENCRYPTION_KEY for persistent deployments.
• Reconnect any calendar accounts that were affected by unreadable stored credentials.

v0.8.1

Nojoin v0.8.1

v0.8.1 is a focused hardening and onboarding release from v0.8.0. It secures first-run setup, reduces public API exposure, improves the first-run Dashboard and Recordings experience, and simplifies the operator deployment path. It also fixes the dashboard deadline editor, keeps admin user management state in sync, and refreshes the deployment and usage documentation around the current release workflow.

Highlights

• First-run setup now requires an operator-defined FIRST_RUN_PASSWORD.
• Bootstrap setup credentials now use Authorization: Bootstrap <secret>.
• New installs now land on the Dashboard after setup, with a dedicated /recordings landing page and split Dashboard, Recordings, and transcript tours.
• API docs, detailed system health, and other operational surfaces are now protected behind authentication, while public responses are reduced to the minimum needed.
• The tracked .env.example and docker-compose.example.yml templates now match the real operator workflow more closely.

What's New

Setup, onboarding, and navigation

• First-run initialisation now fails closed until FIRST_RUN_PASSWORD is configured on the server.
• The setup wizard can still pre-fill AI and Hugging Face configuration, but only after the bootstrap password is provided.
• Completing first-run setup now takes the new Owner to the Dashboard instead of immediately opening the demo meeting.
• /recordings now opens with a dedicated landing view that points new users toward the seeded Welcome to Nojoin meeting.
• Guided tours are now split into separate Dashboard, Recordings, and transcript walkthroughs, with reset support in Help settings.
• The login page now includes a direct link to setup for fresh deployments.

Dashboard and admin UX

• Fixed a dashboard task deadline issue where saving a deadline could reorder cards and leave the page unresponsive. Deadline editing now uses a dedicated modal.
• Renamed the dashboard To-Do List label to Task List across the UI and supporting copy.
• Fixed admin user management so create, edit, and delete actions refresh the paginated user list immediately, keeping counts and pagination accurate.

Security and reliability

• Detailed system health is now authenticated-only, while the public health check is reduced to a minimal reachability endpoint.
• API docs and OpenAPI endpoints now require authentication.
• Public invitation validation and first-run helper responses no longer expose unnecessary metadata.
• Backend operational errors are sanitised before they reach clients, reducing accidental leakage of internal paths, provider failures, and runtime details.
• Added tighter security headers and more explicit CORS allowlists across the frontend and reverse proxy.
• Application logs now redact bootstrap credentials, Authorization headers, cookies, passwords, tokens, and API keys.
• Companion connectivity checks now use the shallow public health endpoint rather than detailed system telemetry.

Deployment, docs, and release tooling

• Simplified the tracked .env.example and compose template so they reflect the actual operator workflow: create local .env and docker-compose.yml files from the tracked examples, then customise locally.
• Clarified the auto-generated JWT signing key behaviour and GPU-by-default deployment expectations.
• Reorganised the documentation into clearer guides for getting started, deployment, usage, administration, calendar setup, backup and restore, architecture, and development.
• Fixed companion release version syncing so Cargo.lock stays aligned with the rest of the companion version metadata during releases.

Admin and deployment notes

• FIRST_RUN_PASSWORD is now required before the first successful Nojoin initialisation. If you add or change it, restart or redeploy before using the setup wizard.
• If you have any custom setup automation or clients, update them to send the bootstrap secret as Authorization: Bootstrap <secret>.
• Unauthenticated access to detailed setup helpers, detailed system status, and API docs is no longer supported.
• No database migration files are included in this release.
• Keep server and Companion versions aligned, especially around setup, auth, and release packaging changes.

Full Changelog: v0.8.0...v0.8.1

v0.8.0

Nojoin v0.8.0

v0.8.0 is a major release from v0.7.6. It introduces the brand-new Dashboard, the first pass of Calendar integration, and the new personal To-Do workflow, alongside live capture improvements, better release visibility, and a round of security and reliability hardening.

Highlights

• Brand-new Dashboard workspace with Meet Now, recent meetings, and a cleaner split between the dashboard and recordings library.
• First-pass Google and Outlook calendar integration with OAuth sign-in, sync, agenda and month views, meeting links, and per-calendar colours.
• New dashboard Task Cards with completion tracking, inline editing, timed deadlines, and live countdown badges.
• Live capture notes and processing ETA for in-flight meetings.
• New Updates centre in Settings with release history, release notes, and Companion installer links.
• Hardening for Companion authentication, password rotation, TLS fingerprint handling, backup and restore, and frontend dependencies.

What's New

Dashboard and Daily Workflow

• Introduced the first real Dashboard home and moved the recordings library into its own dedicated workspace.
• Added a dashboard Meet Now control surface, recent meeting cards, better route-aware navigation, and improved desktop and mobile behaviour.
• Reworked the dashboard into a daily-work surface focused on capture, upcoming meetings, and personal follow-up work.
• Added shared ambient workspace styling across the dashboard and in-flight meeting views.
• Opening the recordings library now auto-selects the most recent meeting.

Calendar

• Added the first pass of Google Calendar and Microsoft Outlook calendar integration across backend, frontend, and deployment.
• Added admin-side OAuth provider configuration and user-side connect, disconnect, sync, and calendar selection flows.
• Added dashboard month and agenda views with month navigation, next event, future-focused agenda items, meeting links, location display, and day drill-down behaviour.
• Added per-calendar colour overrides in settings and colour-coded calendar indicators on the dashboard.
• Improved sync reliability with incremental Google sync and safer Microsoft fallback behaviour for recurrence and delta edge cases.
• Hardened dashboard meeting links so supported providers surface clear join actions while other URLs remain visible without being over-promoted.
• Fixed OAuth redirect origin alignment for remote and reverse-proxied deployments.
• This is intentionally a first-pass calendar release and will continue to harden in future updates.

To-Do

• Added personal dashboard Task Cards as a completely new feature in Nojoin.
• Added task creation, completion, reopening, deletion, and inline title editing.
• Replaced date-only deadlines with timed deadlines stored as full date-and-time values.
• Added live time-remaining badges and improved sorting of active versus completed tasks.
• Replaced the older deadline control with a compact calendar and time picker, shortcut times, and better overlay behaviour.

Recording and Processing

• Added live user notes while a meeting is recording or processing.
• User-authored notes now feed into speaker inference and meeting note generation, and final notes clearly label carried-forward user notes.
• Added processing ETA based on prior completed runs, with learning behaviour before estimates appear.
• Retry Processing now clears generated artefacts and rebuilds them from the original audio while preserving recording metadata, tags, uploaded documents, and user notes.
• Improved transcript speaker reassignment so segment identity is preserved more reliably during updates.

Updates, Settings, and UX

• Added a new Updates section in Settings backed by GitHub Releases metadata.
• The version UI now shows the installed version, latest stable release, release history, published release notes, and Companion download links.
• Added a configurable application timezone used by the dashboard calendar and task deadline handling.
• Improved light and dark theme contrast across settings, auth, and dashboard surfaces.
• Refreshed README screenshots and updated the product, usage, and deployment documentation.

Security and Reliability

• Hardened Companion authentication by separating pairing from recording upload scope.
• Companion pairing now uses a bootstrap token, and each recording receives its own short-lived upload token for upload, status, finalisation, and discard operations.
• Enforced forced password rotation server-side for affected users and routed them into an account-only password reset flow.
• Upgraded the frontend to Next.js 16.2.3 to pick up patched upstream fixes.
• Hardened TLS fingerprint retrieval and logging to avoid leaking sensitive details.
• Improved backup and restore handling for identity matching and audio restoration.
• Backups now preserve dashboard task data, people and voiceprint data, and calendar integration state so the new dashboard experience restores more completely.

Admin and Deployment Notes

• Run database migrations before using v0.8.0.
• If you plan to use calendar integration or expose Nojoin behind a public URL, set the public web origin explicitly with WEB_APP_URL.
• New deployment environment variables include WEB_APP_URL, DEFAULT_TIMEZONE, GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, MICROSOFT_OAUTH_CLIENT_ID, MICROSOFT_OAUTH_CLIENT_SECRET, and MICROSOFT_OAUTH_TENANT_ID.
• Backup archives now include restorable calendar OAuth credentials and connection tokens so calendar integrations can be recovered. Treat backup files as sensitive secrets.
• AI and Hugging Face style application keys remain redacted from backups and must still be re-entered after restore when needed.
• Companion pairing and upload flows changed in this release, so server and Companion versions should be kept in sync.

Full Changelog: v0.7.6...v0.8.0

v0.7.6

v0.7.6 is a significant release for Nojoin. It formalises the project's long-term direction: Nojoin is a single, fully free and open-source product licensed under AGPLv3, and there are no plans for a separate enterprise, premium, or closed-source edition.

This release also delivers important security hardening across authentication, session handling, companion pairing, and public endpoint protection.

Open-Source Direction

• Clarified Nojoin's licensing and product direction across the repository, documentation, and contribution guidance.
• Removed remaining references to future enterprise, premium, cloud, or split-edition positioning.
• Simplified contribution terms so contributions are included under AGPLv3, without a separate CLA or commercial carve-out.

Features

• Introduced dedicated scoped companion tokens for recording flows instead of broader authentication reuse.

Fixes and Improvements

• Hardened authentication with Secure HttpOnly browser sessions and clearer separation between browser auth and API bearer tokens.
• Added rate limiting for login, invitation validation, and invitation-backed registration endpoints.
• Improved reverse-proxy safety by deriving invitation links and companion TLS fingerprint resolution from configured trusted origins.
• Updated live system log streaming to use the authenticated browser session rather than placing tokens in WebSocket URLs.
• Included a small recording-note rename improvement.
• Updated the frontend axios dependency to 1.15.0 for the latest security fix.

Full Changelog: v0.7.5...v0.7.6

v0.7.5

v0.7.5

Bug Fixes

• Context menus now use dynamic viewport-aware positioning based on their rendered size, preventing overflow off-screen and improving usability near screen edges.

• People voiceprint management now refreshes immediately after voiceprint deletion, exposes the latest voiceprint lock state in the People view, and prevents recalibration when no stored voiceprint exists.

• The People UI now removes stale Recalibrate Voiceprint actions when a voiceprint is absent and uses in-app notifications instead of browser alerts for merge and deletion outcomes.

• The recording detail view now keeps polling until proxy audio is ready and reacts immediately to proxy availability changes, so the audio player unlocks as soon as proxy generation completes.

Full Changelog: v0.7.4...v0.7.5

v0.7.4

v0.7.4

New Features

Phantom Speaker Filter — A new two-stage post-diarization filter prevents non-speech audio (notification chimes, background noise, etc.) from being assigned as phantom speakers in transcripts.

• Stage 1 flags candidates using heuristics: unusually low total duration and very few segments.
• Stage 2 validates each candidate by extracting a speaker embedding and comparing it against established speakers. Non-speech segments are reassigned to the nearest temporal speaker; segments that match an established speaker are merged into that speaker; ambiguous short-duration speakers are preserved.
• The filter is fail-safe — any internal exception falls back to the original unfiltered diarization result.

Bug Fixes

Voiceprint Recalibration on Cleaned-Up Recordings — The /recalibrate endpoint would return a 500 error when the original WAV file had been cleaned up or was otherwise unavailable. The endpoint now applies the same os.path.exists guard and proxy_path fallback that all other embedding extraction call sites already used, and skips with a warning when neither path is available.

CI / Infrastructure

GitHub Actions upgraded to Node.js 24 — Updated five actions in the release workflow to their latest major versions to maintain compatibility with the Node.js 24 runtime:

• actions/checkout v4 → v5
• docker/login-action v3 → v4
• docker/metadata-action v5 → v6
• docker/setup-buildx-action v3 → v4
• docker/build-push-action v5 → v7

Full Changelog: v0.7.3...v0.7.4

v0.7.3

v0.7.3

Bug Fixes

Speaker Identification & Voiceprint Hardening

This release addresses a cascading mis-identification issue where borderline-confidence auto-updates were gradually corrupting global speaker voiceprints, causing previously reliable speakers to be misidentified over time.

• Confidence-gated auto-updates: Global speaker voiceprints are no longer updated by borderline matches. A match must now exceed a confidence of 0.85 to trigger an auto-update. Matches in the 0.75–0.84 range will still correctly identify the speaker in that recording but will not alter the stored voiceprint.
• Drift guard: Embedding merges are now rejected outright when the incoming embedding's cosine similarity to the stored voiceprint falls below 0.6, preventing false-positive pollution from highly dissimilar audio.
• Outlier filtering in voiceprint extraction: When building a voiceprint from multiple segments, the system now statistically filters mis-diarised segments before averaging using pairwise cosine similarity with a one-standard-deviation cutoff.
• Recalibration & split-speaker averaging fix: The iterative merge_embeddings function (which biased the result approximately 90% toward the first embedding) has been replaced with a proper arithmetic mean (np.mean) for all multi-segment averaging operations, including recalibration and split-speaker flows.
• Scan-matches threshold raised: The speaker scan endpoint's default match threshold has been raised from 0.65 to 0.75, and a margin-of-victory check has been added to prevent ambiguous matches from being surfaced.
• UI match suggestion threshold raised: The strong-match threshold shown during voiceprint extraction has been raised from 0.65 to 0.75, consistent with the auto-identification threshold.
• Centralised thresholds: All speaker identification and matching thresholds are now defined as named constants in backend/processing/embedding.py. No threshold values are hardcoded elsewhere.

Docker Security

• Socket proxy hardened: Removed privileged: true from the nojoin-socket-proxy container, which is not required for read-only Docker socket access on standard installations. Dropped the unused SERVICES and TASKS API permissions. Added SELinux/AppArmor guidance comments to docker-compose.example.yml for affected deployments.

Dependency Updates

• Next.js 16.2.0: Upgraded next and eslint-config-next from 16.1.5 to 16.2.0, resolving a Dependabot security alert.
• Transitive dependency patches: Applied npm overrides to resolve three Dependabot alerts for transitive dependencies that could not be addressed by bumping direct dependencies:
  • picomatch pinned to 4.0.4.
  • brace-expansion@1.x pinned to 1.1.13.
  • brace-expansion@2.x pinned to 2.0.3.
• flatted bumped from 3.3.3 to 3.4.2 (dev dependency).

New Contributors

• @dependabot[bot] made their first contribution in #9

Full Changelog: v0.7.2...v0.7.3

v0.7.2

Nojoin v0.7.2 Release Notes

What's New

✨ Features

• Documents: Implement PDF parsing for RAG context, adding PyMuPDF to extract text from multi-page PDFs.
• UI: Make meeting card sidebar resizable. (d35c359)

🐛 Bug Fixes

• Chat: Ensure LLM context awareness for uploaded documents by preventing the system prompt from overriding RAG context and broadening the AI instruction set.
• Chat: Fix document deletion modal text overflow for long filenames.
• Nginx: Increase proxy timeout and disable buffering for chat endpoint. (d20da65)
• Security: Enforce TLSv1.2 minimum version for fingerprint checks. (9d31923)

Full Changelog: v0.7.1...v0.7.2