Changelog

v1.0.0 - Initial release (April 2026)

First public release of z4j.

Engine adapters

• Celery, RQ, Dramatiq, Huey, arq, taskiq - six engines in the box.
• Unified action surface: retry / cancel / bulk-retry with polyfill on every engine.

Scheduler adapters

• celery-beat (writable), rq-scheduler (read-only), APScheduler (writable), huey-periodic (read-only), arq-cron (read-only), taskiq-scheduler (writable).

Brain

• FastAPI backend with async Postgres via SQLAlchemy 2.0.
• TanStack Start v1 dashboard (React 19.2, TypeScript 6, Tailwind 4, shadcn/ui).
• Reconciliation worker - detects stuck tasks and marks them lost.
• HMAC-chained audit log with row_hmac + prev_row_hmac chain (v3 canonical).
• RBAC: owner / admin / operator / viewer. Project-scoped.
• Multi-user invitations + SMTP auto-send (Gmail, Mailgun, Brevo presets).
• Password reset flow (self-serve or CLI).
• Rate limits on all unauthenticated endpoints.
• argon2id password hashing with OWASP 2024 defaults.
• Password policy: 3-of-4 character classes + ~1,500-entry denylist.
• First-boot setup URL (one-shot, printed to stderr, not stdout).
• Z4J_BOOTSTRAP_ADMIN_* env for IaC pipelines.
• Prometheus metrics at /metrics.
• /api/v1/health with DB + audit chain status.

Agent

• Framework adapters: Django, Flask, FastAPI, bare Python.
• Wire protocol v1 (JSON-over-WebSocket).
• Redaction: field-name + pattern matching, before events leave the process.
• Buffering during network partition with at-least-once delivery.
• Task registry: 5-layer discovery.
• Heartbeat + reconnect with exponential backoff.

Security

• Two rounds of pre-release security audit (see docs/SECURITY_AUDIT_PRERELEASE.md).
• Agent unique constraint on (project_id, name) - prevents duplicate-register race.
• Z4J_PUBLIC_URL validator rejects whitespace, userinfo, non-http schemes.
• Dummy hash for absent-user login branches (constant-time).
• Session cookie: HttpOnly, Secure, SameSite=Lax.