1.3.0

What's Changed

• feat: cross-tenant token usage metrics for super admin by @yuzushi-dev in #8
• feat/fix: Amber feedback backlog by @yuzushi-dev in #11
• fix: hardening (RLS, shutdown, CORS, secrets, cleanup) by @yuzushi-dev in #10
• chore: various fixes (frontend prod build + backup rewrite) by @yuzushi-dev in #9
• feat(logging): structured logging with structlog + rich by @yuzushi-dev in #12
• Feature/ztd 1819 query complexity router by @yuzushi-dev in #13
• fix(worker): resolve SQLAlchemy mapper error and missing app.current_… by @yuzushi-dev in #14

Full Changelog: v1.2.0...1.3.0

1.2.0

Release 1.2.0

Branch: tenant-fixes-and-security-updates
Period: 2026-02-27 – 2026-03-30
Impact: 82 files changed, 9,119 insertions, 479 deletions
Status: Deployed to production, validated in prod, and checkpointed in git
DB Schema: 20260327_1900 (head)

---

Overview

This release turns Amber into a shared enterprise GraphRAG platform centered on a single shared default corpus plus tenant-local overlays. The rollout removes the need to duplicate documents per tenant, adds document-level sharing and ACL-aware retrieval, introduces runtime kill switches and observability, and leaves historical cleanup deferred.

---

Shared GraphRAG Architecture

• default tenant now acts as the system parent for shared content and base tuning.
• Effective config inheritance resolves default -> tenant, while tenant-local data remains isolated.
• Query scope resolution is explicit, allowing shared and local retrieval paths to be composed without widening tenant visibility.
• Legacy tenant provisioning is still present for recovery or controlled migration only, but it is disabled by default and guarded by policy.

Document Sharing And ACL Enforcement

• Added document_shares with migrations for table creation, default-owner management, and the RLS recursion fix.
• Default-owned documents can be shared to specific tenants at upload time or later from the document library.
• Shared-document read paths now cover list, detail, file, chunks, entities, relationships, communities, and similarities.
• Vector retrieval, global search, and graph traversal are ACL-aware and only include default documents explicitly shared to the caller tenant.
• Visibility observability now distinguishes document_visibility_denied from document_visibility_not_found.
• Added negative-path validation for non-shared default documents and a short-lived cache for visible shared document IDs with explicit invalidation on share mutations.

Admin UX And Operational Controls

• Added share management UI, bulk share workflows, and upload visibility selection for default admins.
• Added document-share observability endpoints, audit integration, and rollout runbooks.
• Added runtime kill switches for share management, upload-time shares, vector ACL retrieval, and graph ACL retrieval.
• Tightened admin or client routing and permission-aware frontend behavior around setup, documents, citations, and API-key login flows.

Validation

• Added unit and integration coverage for config inheritance, query scopes, share management, visibility, metrics, provisioning policy, and ACL-aware retrieval.
• Added E2E coverage for auth matrix, key tiers, chat history isolation, graph sync, tenant isolation, and the end-to-end query or document pipeline.
• Production API schema and migrations are aligned at 20260327_1900 (head).

---