• v7.0.0 12342a49a3

    v7.0.0
    All checks were successful
    CI / App — typecheck, test & build (push) Successful in 1m28s
    CI / API — typecheck & tests (push) Successful in 2m40s
    Stable

    claude-bot released this 2026-06-30 15:19:31 +00:00 | 14 commits to main since this release

    Tea Leaves v7.0.0 — Cross-Instance Collaborative Editing

    Released 2026-06-30

    Extends the read-only federation layer into write-capable cross-instance collaboration: an invited researcher on another Tea Leaves instance can create and update entries in a host project over a signed ActivityPub channel, with a trust chain, conflict review, and an admin kill-switch. Migrations 041043 (additive).

    Features

    🤝 Cross-instance write path (#12 / #9 / #10 / #11)

    • Invite a remote editor by their ActivityPub actor URL (POST /api/projects/:id/invite-remote); their instance must be federated + enabled.
    • Signed write path — a Create/Update of a Note addressed to a project's AP context becomes an entry write. The signature is verified against the actor's cached key and bound to the activity's actor (no actor spoofing); only accepted remote editors may write (no open inbox). Remote-authored entries carry attribution snapshotted from the actor.
    • Conflict resolution — optimistic lock on updated_at vs the activity's published: non-conflicting writes apply automatically (last-write-wins), conflicts land in an owner review queue (apply / keep mine).
    • Schema: project_collaborators.remote_actor_url + remote_contributions (migration 041).

    ↔️ Editor-side round-trip (#62)

    The other half: an invited editor's instance learns of the invite via a signed AP Invite (a new Shared with me page), signed-fetches the host project's entries (GET /ap/projects/:id), and delivers signed Create/Update edits from a remote-project view — completing create and update end-to-end across instances. (migrations 042043)

    🛑 Admin defederation kill-switch (#61)

    Sever a malicious or compromised instance: a blocked state that hard-rejects its inbound activity before signature processing, revokes its remote editors, quarantines its pending/conflict contributions, and optionally purges the entries its actors authored.

    🔒 Security

    Two hardenings caught by automated review during the build:

    • Inbound signatures must now cover (request-target) / date / digest with the digest verified unconditionally — closes a replay / body-substitution actor-spoofing gap (also hardens the existing Follow/comment inbox).
    • Editor egress (Invite-supplied host URLs) is restricted to admin-federated origins — an SSRF guard.

    🧪 Internal

    API test suite grew to 218 tests (HTTP-signature harnesses for the signed read/write paths). No breaking changes; migrations 041043 apply on startup.

    Downloads
  • v6.2.0 04b40b24d7

    v6.2.0
    All checks were successful
    CI / App — typecheck, test & build (push) Successful in 1m32s
    CI / API — typecheck & tests (push) Successful in 2m30s
    Stable

    claude-bot released this 2026-06-29 17:56:19 +00:00 | 42 commits to main since this release

    Tea Leaves v6.2.0 — Core Improvements

    Released 2026-06-29

    The v6.2 milestone: a new project-scoped taxonomy, an analytics/visualization layer, and a clean split between workspace settings and instance administration. No breaking changes. One additive migration (040_categories).

    Features

    🏷️ Categories for entries & motifs (#6)

    A per-project taxonomy shared by entries and motifs — distinct from freeform tags: categories are project-scoped, curated, and carry an optional color. Full CRUD at /api/categories, assignment on entry/motif forms via a create-on-the-fly picker, colored contrast-aware badges throughout, and category_id filtering on the entry list, motif list, and timeline. Manage them in Settings → Categories. (migration 040_categories)

    📊 Insights — analytics & data visualization (#7)

    A new Insights page surfaces project-scoped analytics computed live from the active project: headline counts, monthly entry volume, certainty breakdown, motif-prevalence-over-time, and a force-directed motif co-occurrence web (motifs that share entries, weighted by overlap). Rendered with recharts. Three read-only endpoints under /api/analytics (overview, motif-prevalence, network).

    ⚙️ Settings / Admin redesign (#8)

    The single sprawling Settings page mixed per-workspace controls with server-wide instance configuration. They're now cleanly split by audience:

    • Admin (admin-only) gains AI, AI tools, Search, Media, Email (SMTP), Backup, and the Federation kill-switch, alongside Version / Storage quotas / Users / Audit Log.
    • Settings keeps the workspace controls every user needs: Projects, Project templates, Tags, Categories, Integrations, Export.
    • Security: /api/settings (and test-email) are now gated to admins — every key in the settings table is server-wide config.

    🐛 Fixes

    • Editing a Markdown entry no longer blanks the app (#52) — replaced the unmaintained tiptap-markdown with the official version-matched @tiptap/markdown, and added a top-level ErrorBoundary so a future render error degrades gracefully instead of whiting out the page.

    🧪 Internal

    Frontend at 63 tests, API at 175 tests — including a non-admin 403 regression test for the newly-gated settings routes.

    Downloads
  • v6.1.0 b82f44d1ae

    v6.1.0
    Some checks failed
    CI / App — typecheck, test & build (push) Successful in 2m9s
    CI / API — typecheck & tests (push) Failing after 3m12s
    Stable

    rbrooks released this 2026-06-25 23:31:33 +00:00 | 64 commits to main since this release

    Tea Leaves v6.1.0 — Core Polish & Fixes

    Released 2026-06-25

    A small, focused release of self-contained core-app fixes (milestone v6.1) to land before the larger v6.2 work — plus a substantial round of frontend test coverage. No migration, no breaking changes.

    Fixes & improvements

    🔗 Clickable motifs from an entry (#3)

    On an entry, the linked motifs in the "Motifs" section rendered each title as inert text — there was no way to jump from an entry to a motif. Each linked motif is now a proper link to its detail page, with a hover affordance.

    🌙 Readable motif graph in dark mode (#5)

    The motif graph used hardcoded light node backgrounds, borders, and background dots, and its chrome (controls, minimap, edges) had no dark theme — leaving it illegible on a dark page. The graph now follows the app theme: node and background colors are themed for dark mode, driven by a new reactive useIsDarkMode() hook.

    📄 Export all motifs as one Markdown document (#4)

    A new motifs.md export combines every motif into a single shareable Markdown document, with --- separators under a document header — reusing the existing per-motif formatter. Available in Settings → Export → All motifs, beside the existing motifs.json.

    🧪 Internal

    Frontend test coverage. The app went from a single smoke test to 59 tests, covering the API wrapper, the sanitize/shortcuts utilities, the Tiptap editor, the auth/theme/offline-queue hooks, and the entry list/detail pages — plus a regression test for each fix above.

    Downloads
  • v6.0.0 cdbcb69777

    v6.0.0 Stable

    rbrooks released this 2026-06-19 23:10:32 +00:00 | 121 commits to main since this release

    Tea Leaves v6.0.0 — Infrastructure & Productivity

    Released 2026-06-19

    This release focuses on the operational backbone of a self-hosted instance — email, storage limits, update awareness — plus two productivity features (project templates and password-protected sharing) and an optional no-external-server embedding mode.

    Highlights

    📧 Email (SMTP)

    Tea Leaves can now send email, configured live from Settings → Email (SMTP) with no environment variables or restart required. Set your host, port, TLS mode, credentials, and from-address, then use Send test email to confirm it works. This powers storage-quota warnings now, with more notification types planned for later releases.

    💾 User storage quotas

    Admins can now cap per-user storage, not just observe it.

    • Set instance-wide default soft and hard limits under Admin → Storage quotas.
    • Override any individual user (Default / Custom / Unlimited) right in the Users table.
    • Hard limits block uploads that would exceed the cap; soft limits send a one-time warning email (or webhook) when crossed.
    • Each user sees their own usage bar on their Profile page.

    🗂️ Project templates

    Start new projects and motifs from a reusable template — a description prompt, a default certainty level, and suggested connection types.

    • Five starter templates ship built-in (album visual analysis, artist filmography, recurring visual motif, lyric-to-visual correspondence, cross-artist visual callback).
    • Create your own personal templates, and admins can publish shared ones for everyone.
    • Save as template on any project detail page captures your working methodology from the project's actual content, so you can reuse it.
    • Templates only set editable defaults at creation — nothing is locked, and no entries or connections are copied.

    🔒 Password-protected projects

    A new sharing mode that sits between "unlisted" and "public": share a link plus a password, and the recipient needs no Tea Leaves account.

    • Set it from a project's visibility selector with a password field.
    • Visitors enter the password once and get short-lived read access — no account, no session.
    • Password-protected projects stay out of your sitemap, public profile listing, and fediverse feeds.
    • Passwords are stored hashed and never exposed by the API.

    🔄 Version & update checks

    A new Admin → Version & updates panel shows the installed version, the latest available release, release notes, and an "Update available" / "Up to date" badge.

    • Check for updates runs an on-demand check; a background job also checks automatically every 12 hours.
    • Update detection is release-based — it compares against the latest official release, so running the newest release always reads as up to date even while development continues on the main branch.
    • The exact deployed build (commit + git describe) is shown for support and diagnostics.

    🧠 Local embeddings (on-device ML mode)

    You can now run text embeddings on-device with no external AI server.

    • Select Local (on-device) as your embedding provider in Settings.
    • Unblocks semantic search, similar entries, duplicate detection, and AI-suggested connections without running or paying for an Ollama/OpenAI/Anthropic server.
    • Uses a ~90 MB open model (nomic-embed-text-v1.5), downloaded once and cached.

    📦 Notes for self-hosters

    • The deploy now stamps the running commit into the image. If you deploy with docker compose up --build, pass the git info so the version panel reads accurately:
      GIT_SHA=$(git rev-parse HEAD) GIT_DESCRIBE=$(git describe --tags --always) docker compose up --build -d
      
    • The API base image moved from Alpine to Debian (bookworm-slim) to support the local-embeddings runtime — no action needed beyond a normal rebuild.
    • New optional settings: SMTP config, storage-quota defaults, and the update-check repo URL — all editable from the UI.
    Downloads
  • v5.0.1 97e2517d3a

    v5.0.1 Stable

    rbrooks released this 2026-06-19 16:51:49 +00:00 | 141 commits to main since this release

    Tea Leaves v5.0.1

    Patch release — fixes a production build break in v5.0.0. No new features, no schema changes.

    Fix

    The dependency audit that landed alongside v5.0.0 (d1334b4, "remove node-cron, upgrade React 19") accidentally dropped @types/multer while removing @types/node-cron. multer itself is still very much in use — file uploads in the media, import, and profile routes depend on the req.file/req.files type augmentation that package provides — so the production TypeScript build (tsc) failed with a wall of "implicitly has an 'any' type" / "Property 'file' does not exist" errors.

    This was invisible in local development because npm run dev (tsx watch) doesn't type-check; it only surfaced when actually building the production Docker image.

    Fix: restored @types/multer to api/package.json.

    If you successfully deployed v5.0.0, this release contains no behavior changes for you. If your v5.0.0 build failed, this is the fix — pull and rebuild.

    Downloads
  • v5.0.0 7b7bf4e6ad

    v5.0.0 Stable

    rbrooks released this 2026-06-19 16:28:17 +00:00 | 143 commits to main since this release

    Tea Leaves v5.0.0

    Focused on capturing more kinds of source material and finding what you already have faster: audio transcription, AI analysis of specific image regions, a more expressive search syntax, saved/alerting searches, and semantic "more like this" recommendations.

    Highlights

    • Audio capture & transcription — record voice notes directly in the capture flow, or upload audio files; transcribed automatically via a Whisper-compatible endpoint.
    • Annotation region AI analysis — select a specific region of an image and get an AI description + tag suggestions for just that region, not the whole image.
    • Advanced search syntax — inline field:value filters (e.g. tag:concert source:bluesky), quoted phrases, and boolean operators, with an in-app syntax reference.
    • Saved searches & alerts — save any search by name for one-click reuse; optionally get a webhook notification when a new entry matches.
    • "More Like This" — every entry and search result can surface semantically similar entries using existing embeddings, no new infrastructure required.

    Everything in this release

    • P1 — Audio Capture & Transcription: voice recording in the quick-capture flow, audio file uploads, async transcription worker, inline transcript with "use as entry content."
    • P2 — Annotation Region AI Analysis: crop-and-analyze mode in the annotation canvas; reuses the existing image description/tagging pipeline scoped to a selected region.
    • P3 — Advanced Search Query Language: websearch_to_tsquery-based parsing, inline field filters, phrase and exclusion syntax, in-app help panel.
    • P4 — Saved Searches & Search Alerts: named saved searches with one-click re-run, optional webhook alerts on new matching entries.
    • P5 — "More Like This": semantic similarity tab on entry detail pages and search results, powered by existing text embeddings.

    No breaking changes to existing data — all new columns are additive with safe defaults.

    Downloads
  • v4.0.0 34352346b7

    v4.0.0 Stable

    rbrooks released this 2026-06-16 00:10:57 +00:00 | 147 commits to main since this release

    Tea Leaves v4.0.0

    A major release centered on projects as the new top-level organizing unit, plus fediverse integration, full version history, and a string of workflow features for managing larger bodies of research.

    Highlights

    • Projects — entries and motifs now belong to a project (private/unlisted/public visibility), with public project pages, citation export, and an embeddable graph view replacing the old flat motif structure.
    • Fediverse publishing — projects can publish to ActivityPub followers; public pages support Atom feeds, JSON-LD export, and cross-instance discovery between Tea Leaves servers.
    • Full edit history — every entry change is tracked with word-level diffs and one-click restore.
    • Trash & recovery — soft-deleted entries, motifs, and projects are recoverable for a configurable retention window before permanent purge.
    • AI-suggested connections — semantically similar entry pairs are surfaced automatically for review using existing embeddings.
    • Bulk operations — tag, reassign, or soft-delete many entries at once with live progress tracking.
    • Markdown entries — entries can now be written in Markdown via a rich-text editor, rendered and sanitized server-side.
    • Video capture — media uploads now accept video, with automatic thumbnail extraction and duration detection.
    • "On This Day" — surfaces entries from the same calendar date in past years.

    Everything in this release

    • P4 — Public Project Pages: public URLs reorganized around projects (/u/:slug/:projectSlug); legacy motif URLs redirect automatically.
    • P5 — ActivityPub at Project Level: fediverse publishing and reply-handling moved from motifs to projects.
    • P6 — Trash & Recovery: restore or permanently delete soft-deleted projects/motifs/entries; nightly retention purge.
    • P7 — RSS / Atom Feeds: feed autodiscovery for public projects and motifs.
    • P8 — On This Day: historical entries from past years on the same date, surfaced in the entry list.
    • P9 — Entry Version History: full audit-log-backed history with diffs and restore.
    • P10 — Structured Project Export (JSON-LD): schema.org-compatible export for citation tools and research aggregators.
    • P11 — Bulk Entry Operations: batch tag/motif/visibility/certainty/delete actions with async progress.
    • P12 — AI-Suggested Connections: automatic discovery of semantically similar entry pairs, with a review queue.
    • P13 — Rich Text / Markdown in Entries: Tiptap-based Markdown editing with two-pass server-side sanitization.
    • P14 — Video Clip Capture: video upload, thumbnail/duration extraction via ffmpeg.
    • P15 — Cross-Instance Federation & Discovery: connect Tea Leaves instances together; nightly indexing of public projects; federated search.
    • P16 — Realignment: closing bug fixes (markdown rendering, video thumbnail status), history coverage for tag/motif changes, and five smaller spec-conformance fixes.

    No breaking changes to existing data — all new columns are additive with safe defaults.

    Downloads
  • v3.0.0 11d9166825

    v3.0.0 Stable

    rbrooks released this 2026-06-14 01:26:36 +00:00 | 182 commits to main since this release

    What's New in v3.0.0

    This release marks the completion of the v3 roadmap — a major expansion of Tea Leaves from a personal research tool into a full publishing and collaboration platform.


    Image Annotation (P1)

    Draw and label regions directly on screenshots and media files. Rect and polygon annotations with touch support, stored per media item. Annotations survive media deletion cascades.

    Profile Settings & Public Slug (P2)

    Identity layer for all publishing features: display name, bio, avatar upload, social links (Bluesky, website), and a public username/slug with optional redirect preservation on change.

    Visibility Controls (P3)

    Three-tier visibility (private / unlisted / public) on both entries and motifs. Unauthenticated GET /api/public/:slug/entries and /motifs routes expose public content without login.

    Public Profiles & Motif Pages (P4)

    Public-facing profile pages (/u/:slug) and shareable motif pages (/u/:slug/motifs/:motifSlug) with Open Graph meta tags, print/PDF support, embeddable graph view, APA-style citation copy, and sitemap.xml / robots.txt generation.

    Comments (P5)

    Threaded comments (one level of replies) on motifs for logged-in users and share-link holders. Viewer-role share links are read-only; commenter-role holders can post with a display name. Motif owners can delete any comment.

    Outgoing ActivityPub (P6)

    Publish research to the fediverse. WebFinger, Actor, Outbox, and Followers endpoints; RSA-2048 HTTP Signatures; Follow/Unfollow inbox handling; per-motif "Publish to fediverse" button. Private keys are AES-256-GCM encrypted at rest and never returned by any API.

    Tag Management (P7)

    Settings → Tags section for renaming, merging, and deleting tags. Rename preserves all entry associations; merge transfers associations and removes the source tag.

    Admin Panel (P8)

    Admin-only user management (role promotion/demotion, enable/disable) and paginated audit log viewer with filters. The first registered user is automatically seeded as admin. Deactivated users are rejected at the OIDC callback and have their sessions terminated on the next /auth/me poll.

    Advanced Backup (P9)

    Multi-destination backup with per-destination cron schedules, snapshot browser, two-snapshot diff viewer, and a granular entry-level restore flow (stage → review → apply/skip per entry). Integrity trend sparkline shows the last 12 weeks of verification results.

    Image Embedding & Visual Similarity (P10)

    AI-generated description text is embedded and stored alongside each media upload. Per-image "Find similar images" button surfaces the top 8 visually similar images across all entries. Batch re-embedding available from Settings → AI tools.


    Gap Fixes (post-P10)

    • Per-user Fediverse toggle — users can opt out of federation from their profile; all AP/WebFinger endpoints return 404/410 when disabled
    • Server-wide federation kill switch — admins can disable ActivityPub entirely from Settings
    • Embedding dimension hint — Settings UI now warns that the vector(768) column requires a migration if the model output dimension changes
    • Public comments on motif pages — visitors can read comments on public motif pages without logging in; logged-in users can post
    • Image thumbnails in search results — search result cards show a 56×56 thumbnail when the entry has an image with an embedding

    Database Migrations Applied

    Migrations 015–024 are applied automatically on startup.

    Downloads
  • v2.0 446a81626f

    rbrooks released this 2026-06-12 21:27:36 +00:00 | 203 commits to main since this release

    Highlights

    Timeline view — A new /timeline page lays every entry out chronologically, grouped by month, week, or day. A density histogram at the top lets you see where your research clusters at a glance; clicking any bar scrolls directly to that period. Filter by source, certainty, motif, or date range — all synced to the URL so links are shareable.

    Notes & conversations import — Two new import types that don't require a file upload. Paste plain text or Markdown directly into the app (each paragraph becomes one entry with automatic dedup via content hash), or import a conversation transcript from any JSON format with flexible field names (text/content/body, author/speaker, etc.). Speaker attribution is preserved as attributed_to.

    Bulk motif creation — The motif list now has a quick-create form that stays open and refocuses after each submission, so you can name a queue of motifs without interruption. A "Needs details" filter tab surfaces new motifs with no description or entries yet. On entry pages, the "Add to motif" panel lets you search or create-and-add in a single step.

    Motif linking from entry pages + connection timestamps — You can now assign an entry to motifs without navigating away. Connections support a timestamp field (M:SS, H:MM:SS, or raw seconds) for recording the exact moment in a video where a connection appears; timestamps render as chips in the motif detail view.

    Collaborative access — Generate read-only share links for any motif. Recipients see a clean public view (entries, connections, motif notes) with no login required. Links are labelled and revocable from the motif's share management panel.

    Stash webhook + API token auth — A new API token system (named, revocable bearer tokens) powers two token-authenticated webhook endpoints: POST /api/webhooks/stash ingests a Stash scene payload and creates an import job, and POST /api/webhooks/browser accepts a URL + selected text from a browser extension or share sheet. Both go through the same sanitize and dedup pipeline as all other import sources.

    Bulk AI re-analysis — A new AI Tools section in Settings lets you re-generate all text embeddings or re-describe all images against your current AI configuration. Progress is tracked live with a polling progress bar. Media uploads now also fingerprint files on upload to catch exact duplicates without an external library.

    Backup dashboard + failure alerting — The backup history table now shows duration, inline error messages, and expanded to 10 entries. A new backup.alertWebhookUrl setting fires a JSON webhook on backup failure, compatible with Slack, Discord, n8n, or any generic receiver.


    Internal

    Test suite — 89 integration and unit tests covering auth, entries CRUD, tags, motifs, connections, settings, import parsers, and security invariants (isSafeUrl, sanitizeContent, VALID_JOB_FIELDS). Runs against real Postgres and Redis — no mocks for infrastructure.

    Security & dependency upgrades — All High/Medium findings from the v1.0.0 audit resolved (parameterized LIMIT, sendFile root containment, URL scheme validation, rate limiting, env injection hardening). Major dependency upgrades: Express v5, openid-client v6, Vite v8, React Router v7, Tailwind CSS v4.

    Bug fix — Session cookie changed from SameSite=None to SameSite=Lax, fixing a silent cookie rejection issue in non-HTTPS dev environments that broke the OIDC login flow.

    Downloads
  • v1.0.0 00a92a2c16

    v1.0.0 Stable

    rbrooks released this 2026-03-28 03:01:46 +00:00 | 251 commits to main since this release

    All 10 phases complete:

    • Auth (Authentik OIDC), PWA, dark mode
    • Entry CRUD, tags, audit log
    • Import pipeline (Twitter, Bluesky), duplicate detection
    • Image uploads, provider-agnostic AI (Ollama/OpenAI/Anthropic)
    • Motifs, typed connections, graph view
    • Full-text + semantic search (pgvector)
    • Live-editable settings panel
    • Restic backup (configurable repo, scheduled)
    • Data export (JSON, CSV, Markdown)
    • QuickCapture FAB, offline queue, keyboard shortcuts
    Downloads