# v1.4 Release Notes

**192 commits · 8 days · April 2–9, 2026**

v1.3.0 made MUTX behave like a real operator lane. v1.4.0 makes it survive production.

This release is about boring, high-leverage infrastructure: a self-hosted docs platform replacing GitBook, RBAC enforcement closing the last auth gaps, an OIDC token validation layer, a production-grade Kubernetes Helm chart, 20 SDK contract test modules, an autonomous development lane subsystem, and enough security hardening to matter.

The platform went from "has the features" to "you can actually run this in an enterprise."

***

## Highlights

### 1. Self-Hosted Documentation Platform (58 commits)

Killed the GitBook dependency. Built a complete `/docs` system into the Next.js app with:

* Markdown rendering via remark→rehype pipeline with GitBook dark theme
* Sidebar navigation with auto-expand, depth-aware items, and chevron indicators
* Breadcrumbs with pathname-based ancestor matching
* Prev/next navigation wired from SUMMARY.md order
* Full-text search with Cmd+K modal and DOM-native indexing
* Right-rail Table of Contents
* GitBook `{% hint %}` blocks rendered as styled callouts
* `data-view=card` tables transformed into styled card grids
* Code copy buttons, light/dark theme switcher
* Mobile sidebar with toggle and close-on-nav
* WCAG contrast fixes, scroll-margin for anchor navigation
* 14 previously orphaned pages wired into SUMMARY.md

### 2. Autonomous Development Lane (25 commits)

New always-on autonomy substrate that feeds tasks from GitHub issues, dispatches work across git worktrees, and reconciles PRs automatically:

* Issue-fed autonomy queue with malformed body rejection
* Worktree-based task dispatching
* Auto-reconciliation of safe PRs
* Auto-resume when usage limits reset
* Fleet task prioritization by signal strength
* Stale task recycling with evidence-change gating
* Guild-style run artifact schema and provenance capture
* OSS attribution ledger for external feature ports
* SDK error handling across 5 modules (agents, security, assistant, budgets, deployments)
* Daemon runtime and queue recovery hardening

### 3. Kubernetes / Helm Chart (NEW — 23 files, \~1,725 lines)

Production-grade Helm chart at `infrastructure/helm/mutx/`:

* Component-specific templates: API, Web, OTel Collector, Redis, Postgres, Ingress, HPA, Secrets, ServiceAccount
* `values.yaml` with sensible dev defaults
* `values.prod.yaml` — HA replicas, topology spread, PDBs, managed DB disabled
* `values.staging.yaml` — middle ground overlay
* Ingress routes `/v1/*` + probes to API, `/*` to web, TLS per-host
* OTel Collector config fully templated with `configOverride` escape hatch
* Secrets auto-generate `JWT_SECRET` and `SECRET_ENCRYPTION_KEY` if unset
* Helm test pod for smoke validation
* `helm lint` clean, 14 resources rendered

### 4. RBAC Enforcement + OIDC Token Validation (9 commits)

The council called these out as gaps. Both are now closed:

**RBAC:**

* Enforced `require_role()` on approvals (DEVELOPER/ADMIN), security (ADMIN), policies (ADMIN), and audit (ADMIN/AUDIT\_ADMIN) routes
* Removed the permissive "allow any authenticated user through" bypass
* Admin-role gates applied at router level via FastAPI dependencies

**OIDC:**

* New `src/api/auth/oidc.py` — JWKS fetcher with 1-hour TTL cache, JWT signature validation, iss/aud/exp claim checks
* Configured via `OIDC_ISSUER`, `OIDC_CLIENT_ID`, `OIDC_JWKS_URI` environment variables
* Ready for any OIDC-compliant IdP (Okta, Auth0, Azure AD, Keycloak)

### 5. SDK Contract Test Suite (30 commits)

20 new pytest contract test modules covering every SDK surface:

`agents` · `analytics` · `assistant` · `budgets` · `deployments` · `governance_credentials` · `governance_supervision` · `ingest` · `leads` · `newsletter` · `observability` · `onboarding` · `runtime` · `scheduler` · `security` · `sessions` · `swarm` · `templates` · `usage` · `approvals`

Plus gap scanner signals and homepage smoke test stabilization (7 commits relaxing assertions, supporting both landing variants, reducing fold assumptions).

### 6. Landing Page + Contact Page Redesign (24 commits)

**Landing page:** Below-hero redesign with refined motion and handoff animations, recomposed example cards, terminal failure scenes, replaced copied media with MUTX-native art, responsive audit polish, removed dead state and unused components.

**Contact page:** Dedicated hero layout with 2-col desktop grid, mobile-first stacking, new call-me hero image, full-width CTAs.

### 7. Security Hardening (9 commits)

* Enforced verified email on authenticated token access
* Okta JWKS keys endpoint for token verification
* Restored legacy pbkdf2 password verification
* Honored env-file JWT secret in startup validation
* Removed fixed JWT secret defaults from demo config
* Hardened local bootstrap against forwarded header spoofing
* Required auth for self-heal webhook
* Prevented rate limit bypass via spoofed API key headers
* Removed third-party Calendly widget injection
* Enforced TLS for PostgreSQL connections
* Frontend container runs as non-root user

### 8. Adapter Hardening

* **CrewAI:** Replaced hardcoded `api_key=""` with `MUTX_API_KEY` env var fallback + `ValueError` guard
* **LangChain:** Replaced stub `stream_events()` with real async generator — deque buffer, callback monkey-patching, background asyncio task, emitting llm\_start/end, tool\_start/end, agent\_action/finish events

***

## By the Numbers

| Category                      | Commits |
| ----------------------------- | ------: |
| Docs / Self-Hosted Platform   |      58 |
| Testing / Contract Tests      |      30 |
| Autonomous Dev / Agent Lanes  |      25 |
| Frontend / Landing + Contact  |      24 |
| Auth / RBAC / OIDC / Security |       9 |
| CI/CD / Build Pipeline        |       9 |
| SEO / Marketing Pages         |       7 |
| Release / Licensing           |       7 |
| API Routes / Middleware       |       5 |
| Infrastructure / Deployment   |       4 |
| Dashboard / Web UI            |       3 |
| SDK                           |       1 |
| Bug Fixes / Dependencies      |      10 |

***

## Contributors

**Fortune** (111) · **Proactive Coder** (58) · **CIPHER** (22) · **dependabot** (1)

***

## Upgrade Notes

### New Environment Variables

```
# OIDC Token Validation (optional — enable when connecting an external IdP)
OIDC_ISSUER=
OIDC_CLIENT_ID=
OIDC_JWKS_URI=

# CrewAI Adapter (required if using run_crew())
MUTX_API_KEY=***
# Kubernetes / Helm
# See infrastructure/helm/mutx/values.yaml for full reference
```

### Breaking Changes

* **RBAC is now enforced.** Routes under `/audit/*`, `/security/*`, `/policies/*`, and `/approvals/*` now require specific roles. If you have test fixtures or service accounts that relied on open access, update them with appropriate roles.
* **CrewAI `run_crew()`** no longer accepts an empty API key silently. Set `MUTX_API_KEY` or pass `api_key` explicitly.

### Helm Deployment

```bash
# Dev (single replica, minimal resources)
helm install mutx infrastructure/helm/mutx/

# Production (HA, HPA, managed DB)
helm install mutx infrastructure/helm/mutx/ -f infrastructure/helm/mutx/values.prod.yaml

# Staging
helm install mutx infrastructure/helm/mutx/ -f infrastructure/helm/mutx/values.staging.yaml
```

***

## Full Commit History

192 commits since v1.3.0. See the [compare view](https://github.com/mutx-dev/mutx-dev/compare/v1.3.0...v1.4.0) for the complete diff.

***

## What's Next

The substrate is real. What comes after:

* PVC templates for Helm chart persistence (Redis/Postgres)
* Dynamic role management (currently hardcoded ADMIN, AUDIT\_ADMIN, DEVELOPER)
* Full OAuth2 authorization code flow (OIDC is token-validation only right now)
* Adapter integration tests with live framework instances
* Approval escalation routing with notification channels

***

## Supported in v1.4.0

These are the surfaces we consider part of the shipped release:

* `mutx.dev`
* `mutx.dev/download`
* `mutx.dev/releases`
* `docs.mutx.dev` (now self-hosted)
* the signed macOS app downloaded from the public release lane
* `app.mutx.dev/dashboard` for stable browser operator routes
* the CLI install path via `curl -fsSL https://mutx.dev/install.sh | bash`
* Kubernetes/Helm deployment via `infrastructure/helm/mutx/`

## Still preview

These surfaces are still not presented as fully stable in v1.4.0:

* `app.mutx.dev/control/*`
* preview-labeled dashboard areas that are intentionally outside the stable operator lane
* backend capabilities whose live runtime contract is still gated or incomplete

## Artifact and release sources

* Download: `https://mutx.dev/download`
* Release summary: `https://mutx.dev/releases`
* Docs release note: `https://docs.mutx.dev/docs/v1.4`
* GitHub release: `https://github.com/mutx-dev/mutx-dev/releases/tag/v1.4.0`
* Stable dashboard entry: `https://app.mutx.dev/dashboard`

***

**Previous release:** [v1.3.0 Release Notes](https://docs.mutx.dev/docs/v1.3)