Changelog
Latest headline release: z4j v1.6.5.
Each package versions independently; the table below shows the current latest of every published package. The per-package history follows.
| Package | Latest | Released | Category | License | Links |
|---|---|---|---|---|---|
z4j | 1.6.5 | 2026-05-27 | Umbrella | AGPL-3.0 | PyPI · GitHub · Docs |
z4j-bare | 1.6.5 | 2026-05-27 | Core | Apache-2.0 | PyPI · GitHub · Docs |
z4j-core | 1.6.0 | 2026-05-13 | Core | Apache-2.0 | PyPI · GitHub |
z4j-scheduler | 1.6.5 | 2026-05-27 | Core | Apache-2.0 | PyPI · GitHub · Docs |
z4j-django | 1.6.0 | 2026-05-13 | Frameworks | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-fastapi | 1.6.0 | 2026-05-13 | Frameworks | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-flask | 1.6.0 | 2026-05-13 | Frameworks | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-arq | 1.6.0 | 2026-05-13 | Engines | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-celery | 1.6.0 | 2026-05-13 | Engines | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-dramatiq | 1.6.0 | 2026-05-13 | Engines | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-huey | 1.6.0 | 2026-05-13 | Engines | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-rq | 1.6.0 | 2026-05-13 | Engines | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-taskiq | 1.6.0 | 2026-05-13 | Engines | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-apscheduler | 1.6.0 | 2026-05-13 | Schedulers | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-arqcron | 1.6.0 | 2026-05-13 | Schedulers | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-celerybeat | 1.6.0 | 2026-05-13 | Schedulers | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-hueyperiodic | 1.6.0 | 2026-05-13 | Schedulers | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-rqscheduler | 1.6.0 | 2026-05-13 | Schedulers | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
z4j-taskiqscheduler | 1.6.0 | 2026-05-13 | Schedulers | Apache-2.0 | PyPI · GitHub · Docs · Upstream |
History by package
Section titled “History by package”z4j
v1.6.5 (2026-05-27)
- security: Six rounds of external audit closed eleven findings. Fresh-MFA gate extended to every privileged admin, agent, membership, invitation, and notification-channel mutating route. Password-reset tokens are now claimed atomically by the database under concurrent confirms (single-use enforced at the row level, not in application memory). Agent revocation closes live WebSocket sessions cluster-wide via Postgres NOTIFY. Outbound notification webhooks include a timestamp + dual-signature scheme so captured payloads cannot be replayed.
- security: Standalone z4j-scheduler /metrics is fail-secure in production: the previously-dead metrics_enabled toggle now controls the route, and a startup validator refuses to start with a non-loopback bind and no auth token. z4j-bare agent buffer SQLite + WAL + SHM files are forced to 0600 on creation. Brain host-validation middleware rejects present-but-malformed Host headers (path separators, control characters, nonnumeric ports) before the allow-list check.
- security: Dependency floors raised for CVE close: Starlette >=1.0.1 (CVE-2026-48710 BadHost), python-multipart >=0.0.27 (CVE-2026-42561), plus lock refresh of idna, mako, and urllib3.
- changed: Password minimum length aligned at 12 characters across backend default, dashboard fallback, and operator docs.
v1.6.3 (2026-05-15)
- security: OpenAPI schema and Swagger UI now require authentication by default. New `Z4J_OPENAPI_VISIBILITY` setting controls visibility.
- security: Health endpoints no longer disclose the runtime version to unauthenticated callers.
- security: Additional endpoint hardening and rate-limit coverage.
v1.6.2 (2026-05-14)
- changed: Dashboard design system unified across every page: consistent headers, filter toolbars, search inputs, action buttons, empty states, and time-range pickers. Settings, project pages, and home all share the same visual rhythm.
- added: Search + state filter on the Agents, Queues, and Workers pages.
- security: Frontend dependencies refreshed to latest patches; cleared two high-severity advisories in a transitive build-time dependency on the marketing site (not in the runtime bundle).
v1.6.1 (2026-05-13)
- fixed: 1.6.0 shipped with a stale dashboard bundle that omitted the new MFA enrollment screen and the post-login challenge page. 1.6.1 ships the correct dashboard. `pip install --upgrade z4j` picks up the fix in place.
v1.6.0 (2026-05-13)
- added: Multi-factor authentication. TOTP via any standard authenticator app (Authy, 1Password, Google Authenticator, etc.), single-use recovery codes, optional 30-day device trust. Opt-in: existing users stay unenrolled until they enable it.
- added: Microsoft Teams notification channel. Workflows webhooks, Power Automate, and the legacy O365 connector all auto-detected at save time.
- added: Sentry error capture, OpenTelemetry tracing, audit-log webhook forwarding, four Grafana dashboards, and a Live Activity Feed on the dashboard home.
- changed: One bidirectional schema migration (upgrade and downgrade both safe on populated databases). No data migration required.
v1.5.1 (2026-05-12)
- fixed: Brain memory leak under sustained burst load (the operational caveat from 1.5.0). Operators on sustained 100+ tasks/sec no longer need restart-every-4h hygiene. Tunable via the new `Z4J_DATABASE_STATEMENT_CACHE_SIZE` setting.
- added: Four new Prometheus gauges + a Grafana dashboard so operators can verify the fix in their own environment.
v1.5.0 (2026-05-11)
- security: Closed seven security findings from a full audit: stricter email validation, scrubbed error messages, project enumeration closed, hardened response headers, per-request CSP nonce, gRPC scheduler refuses to start in production without TLS.
- fixed: Six task-correctness bugs around event ack, recv-loop decoupling, broker-event filtering, and content-derived event-id deduplication.
- fixed: Scheduler load-test issues: vocab alignment between brain and scheduler, embedded PKI permissions, multi-worker race, cooperative yield on brain restart.
v1.4.0 (2026-05-03)
- changed: The brain server, dashboard, REST API, audit log, and reconciliation all ship in a single `z4j` distribution. `pip install z4j` is the only install path operators need.
- added: Engine adapters available via extras: `pip install z4j[django,celery]` for the full Django + Celery stack, plus extras for FastAPI, Flask, RQ, Dramatiq, Huey, arq, TaskIQ, APScheduler.
- security: Full security audit pass before tag, with every Critical and High finding patched and pinned by a regression test.