BlazeUp-AI/Observal](https:

[0.6.0] - 2026-05-16

Added

• realign skill model with git-first architecture (skills) (9600d3b)
• add insight tables to migration system (cd73e1e)
• add best-effort disclaimer for --git flag (mcp) (360248e)
• JSON paste as default MCP submit/edit with shared parser (UI) (55daede)
• make JSON paste the default MCP submission method (cli) (ff9e3de)
• add backend integration tests against real DB (7e1e8ee)

CI

• add workflow for backend integration tests (ba4e741)

Documentation

• update quick start with curl-install and move license to bottom (d1b4dfa)

Fixed

• correct sentinel timestamp causing broken duration/started columns (traces) (56733af)
• stub page and hide from sidebar pending rework (errors) (7ccf37b)
• replace import-based detection with INSIGHTS_AVAILABLE env flag (insights) (d822993)
• resolve pre-commit and pre-push hook failures (236f9c1)
• wire token counts and correct duration in session list (7719683)
• use sessionStorage for access token in loginToWebUI helper (e2e) (4d39d12)
• replace nonexistent observal-hook.sh with session_push.py (hooks) (77014e6)
• stop enterprise compose file from overriding DEPLOYMENT_MODE (08e317d)
• login page respects ?next= param after authentication (0acca4b)
• migrate JWT signing from HS256 to ES256 (security) (e562524)
• user-level token revocation and Redis fail-closed auth (security) (899fa0c)
• update remaining localStorage reads to sessionStorage for access token (71feea2)
• enforce org ownership on component source routes (security) (2f9dbcb)
• scope admin dashboard and telemetry queries to requesting user's org (security) (afe13b1)
• private agents not visible to anonymous callers in local mode (security) (78d465f)
• scope private registry listings to owner org (security) (af993b0)
• require authentication on GraphQL telemetry endpoint (security) (ed65c9e)
• block startup with weak SECRET_KEY, warn on insecure defaults in settings (security) (a22ec35)
• enforce password strength on account creation and change (OBSV-SEC-006) (security) (cc65f9f)
• add 'unsafe-inline' to CSP script-src for Next.js hydration (15dcaf8)
• hide OpenAPI docs and metrics endpoints by default (OBSV-SEC-015) (security) (c338b88)
• require approved status for agent install, validate MCP commands (OBSV-SEC-027) (security) (5b6a3a0)
• block password lifecycle routes in SSO-only mode (OBSV-SEC-028) (security) (298cc09)
• rate limiting only trusts XFF from configured trusted proxies (OBSV-SEC-003) (security) (1b9f087)
• address PR review feedback (007e05c)
• add SPDX header and suppress bandit false positive (ci) (a2efe47)
• renumber insight migration 0004 -> 0005 (alembic) (050a8c2)
• CSP middleware and access token in sessionStorage (OBSV-SEC-025) (security) (1040029)
• harden EC2 bootstrap script (OBSV-SEC-020) (security) (d230bf0)
• block operational paths at ALB by default (OBSV-SEC-018) (security) (0b35ccf)
• block operational metadata paths in nginx (OBSV-SEC-017) (security) (4a430ab)
• centralise SSRF guard for webhooks, git clone, MCP analysis (OBSV-SEC-012/013/014) (security) (b78dc96)
• allow MCP config fields in version extras validation (api) (831a0d1)
• emit JSON-RPC error notification on MCP startup failure (shim) (4b64b5e)
• bind stateful services to loopback in Docker Compose (OBSV-SEC-016) (security) (6dbcfac)
• include auth identity in cache key to prevent cross-user hits (OBSV-SEC-023) (security) (cd3acf6)
• redact secrets from support log collector output (OBSV-SEC-022) (security) (7a27288)
• redact secrets before sending content to LLM providers (OBSV-SEC-021) (security) (19ac039)
• require auth on telemetry reconcile endpoint (OBSV-SEC-011) (security) (9f275df)
• restrict support diagnostics to admin role (OBSV-SEC-008) (security) (4ed0883)
• apply execution time floor to every ClickHouse query (OBSV-SEC-026) (security) (b1d80bd)
• validate session IDs before SQL interpolation in shim enrichment (security) (66ca3d0)
• use FINAL instead of GROUP BY for session_stats_agg (server) (ce8069b)
• default to ~/.observal on macOS for Docker compatibility (deploy) (119aed3)
• add OBSERVAL_FORCE=1 to skip overwrite prompt (deploy) (9910a94)
• read from /dev/tty so curl|bash works interactively (deploy) (4bc203b)

Other

• remove hardcoded dev paths and stale internal docs (6f39743)
• ignore pi-lens cache directories (b8d84e2)
• update dependency authlib to v1.7.1 [security] (#923) (deps) (6a00ce3)
• ignore and untrack Terraform plan files (OBSV-SEC-019) (security) (c4873d4)

Testing

• add coverage for MCP config parser, shim errors, and edit/submit (8896814)